9 jaren geleden · fe69a7e1d7
--- a/changes/bug15600
+++ b/changes/bug15600
@@ -0,0 +1,5 @@
 
				+  o Major bugfixes (security, hidden service):
			
 
				+    - Fix an issue that would allow a malicious client to trigger
			
 
				+      an assertion failure and halt a hidden service. Fixes
			
 
				+      bug 15600; bugfix on 0.2.1.6-alpha. Reported by "skruffy".
			
 
				+
			
--- a/changes/bug15601
+++ b/changes/bug15601
@@ -0,0 +1,4 @@
 
				+  o Major bugfixes (security, hidden service):
			
 
				+    - Fix a bug that could cause a client to crash with an assertion
			
 
				+      failure when parsing a malformed hidden service descriptor.
			
 
				+      Fixes bug 15601; bugfix on 0.2.1.5-alpha. Found by "DonnCha".
			
--- a/src/or/rendcommon.c
+++ b/src/or/rendcommon.c
@@ -1087,7 +1087,7 @@ rend_cache_store_v2_desc_as_client(const char *desc,
 
				     goto err;
			
 
				   }
			
 
				   /* Decode/decrypt introduction points. */
			
 
				-  if (intro_content) {
			
 
				+  if (intro_content && intro_size > 0) {
			
 
				     int n_intro_points;
			
 
				     if (rend_query->auth_type != REND_NO_AUTH &&
			
 
				         !tor_mem_is_zero(rend_query->descriptor_cookie,
			
--- a/src/or/rendservice.c
+++ b/src/or/rendservice.c
@@ -1819,6 +1819,16 @@ rend_service_parse_intro_for_v2(
 
				 
			
 
				     goto err;
			
 
				   }
			
 
				+  if (128 != crypto_pk_keysize(extend_info->onion_key)) {
			
 
				+    if (err_msg_out) {
			
 
				+      tor_asprintf(err_msg_out,
			
 
				+                   "invalid onion key size in version %d INTRODUCE%d cell",
			
 
				+                   intro->version,
			
 
				+                   (intro->type));
			
 
				+    }
			
 
				+
			
 
				+    goto err;
			
 
				+  }
			
 
				 
			
 
				   ver_specific_len = 7+DIGEST_LEN+2+klen;
			
 
				 
			
--- a/src/or/routerparse.c
+++ b/src/or/routerparse.c
@@ -4684,7 +4684,7 @@ rend_parse_introduction_points(rend_service_descriptor_t *parsed,
 
				                                size_t intro_points_encoded_size)
			
 
				 {
			
 
				   const char *current_ipo, *end_of_intro_points;
			
 
				-  smartlist_t *tokens;
			
 
				+  smartlist_t *tokens = NULL;
			
 
				   directory_token_t *tok;
			
 
				   rend_intro_point_t *intro;
			
 
				   extend_info_t *info;
			
@@ -4693,8 +4693,10 @@ rend_parse_introduction_points(rend_service_descriptor_t *parsed,
 
				   tor_assert(parsed);
			
 
				   /** Function may only be invoked once. */
			
 
				   tor_assert(!parsed->intro_nodes);
			
 
				-  tor_assert(intro_points_encoded);
			
 
				-  tor_assert(intro_points_encoded_size > 0);
			
 
				+  if (!intro_points_encoded || intro_points_encoded_size == 0) {
			
 
				+    log_warn(LD_REND, "Empty or zero size introduction point list");
			
 
				+    goto err;
			
 
				+  }
			
 
				   /* Consider one intro point after the other. */
			
 
				   current_ipo = intro_points_encoded;
			
 
				   end_of_intro_points = intro_points_encoded + intro_points_encoded_size;
			
@@ -4798,8 +4800,10 @@ rend_parse_introduction_points(rend_service_descriptor_t *parsed,
 
				 
			
 
				  done:
			
 
				   /* Free tokens and clear token list. */
			
 
				-  SMARTLIST_FOREACH(tokens, directory_token_t *, t, token_clear(t));
			
 
				-  smartlist_free(tokens);
			
 
				+  if (tokens) {
			
 
				+    SMARTLIST_FOREACH(tokens, directory_token_t *, t, token_clear(t));
			
 
				+    smartlist_free(tokens);
			
 
				+  }
			
 
				   if (area)
			
 
				     memarea_drop_all(area);