June 2017 - tor-commits - lists.torproject.org

[tor/master] TROVE-2017-004: Fix assertion failure in relay_send_end_cell_from_edge_
by nickm＠torproject.org 08 Jun '17

08 Jun '17

commit 79b59a2dfcb68897ee89d98587d09e55f07e68d7 Author: David Goulet <dgoulet(a)torproject.org> Date: Mon Jun 5 09:35:03 2017 -0400 TROVE-2017-004: Fix assertion failure in relay_send_end_cell_from_edge_ This fixes an assertion failure in relay_send_end_cell_from_edge_() when an origin circuit and a cpath_layer = NULL were passed. A service rendezvous circuit could do such a thing when a malformed BEGIN cell is received but shouldn't in the first place because the service needs to send an END cell on the circuit for which it can not do without a cpath_layer. Fixes #22493 Reported-by: Roger Dingledine <arma(a)torproject.org> Signed-off-by: David Goulet <dgoulet(a)torproject.org> --- changes/trove-2017-004 | 5 +++++ src/or/connection_edge.c | 21 ++++++++++++++------- 2 files changed, 19 insertions(+), 7 deletions(-) diff --git a/changes/trove-2017-004 b/changes/trove-2017-004 new file mode 100644 index 0000000..106d3af --- /dev/null +++ b/changes/trove-2017-004 @@ -0,0 +1,5 @@ + o Major bugfixes (hidden service, relay): + - Fix an assertion failure when an hidden service handles a malformed + BEGIN cell. This bug resulted in the service crashing triggered by a + tor_assert(). Part of TROVE-2017-004. Fixes bug 22493; bugfix on + tor-0.3.0.1-alpha. Found by armadev. diff --git a/src/or/connection_edge.c b/src/or/connection_edge.c index dac0c01..d9d9e73 100644 --- a/src/or/connection_edge.c +++ b/src/or/connection_edge.c @@ -3091,14 +3091,21 @@ connection_exit_begin_conn(cell_t *cell, circuit_t *circ) char *address = NULL; uint16_t port = 0; or_circuit_t *or_circ = NULL; + origin_circuit_t *origin_circ = NULL; + crypt_path_t *layer_hint = NULL; const or_options_t *options = get_options(); begin_cell_t bcell; int rv; uint8_t end_reason=0; assert_circuit_ok(circ); - if (!CIRCUIT_IS_ORIGIN(circ)) + if (!CIRCUIT_IS_ORIGIN(circ)) { or_circ = TO_OR_CIRCUIT(circ); + } else { + tor_assert(circ->purpose == CIRCUIT_PURPOSE_S_REND_JOINED); + origin_circ = TO_ORIGIN_CIRCUIT(circ); + layer_hint = origin_circ->cpath->prev; + } relay_header_unpack(&rh, cell->payload); if (rh.length > RELAY_PAYLOAD_SIZE) @@ -3123,7 +3130,7 @@ connection_exit_begin_conn(cell_t *cell, circuit_t *circ) return -END_CIRC_REASON_TORPROTOCOL; } else if (rv == -1) { tor_free(bcell.address); - relay_send_end_cell_from_edge(rh.stream_id, circ, end_reason, NULL); + relay_send_end_cell_from_edge(rh.stream_id, circ, end_reason, layer_hint); return 0; } @@ -3160,7 +3167,7 @@ connection_exit_begin_conn(cell_t *cell, circuit_t *circ) if (!directory_permits_begindir_requests(options) || circ->purpose != CIRCUIT_PURPOSE_OR) { relay_send_end_cell_from_edge(rh.stream_id, circ, - END_STREAM_REASON_NOTDIRECTORY, NULL); + END_STREAM_REASON_NOTDIRECTORY, layer_hint); return 0; } /* Make sure to get the 'real' address of the previous hop: the @@ -3177,7 +3184,7 @@ connection_exit_begin_conn(cell_t *cell, circuit_t *circ) } else { log_warn(LD_BUG, "Got an unexpected command %d", (int)rh.command); relay_send_end_cell_from_edge(rh.stream_id, circ, - END_STREAM_REASON_INTERNAL, NULL); + END_STREAM_REASON_INTERNAL, layer_hint); return 0; } @@ -3188,7 +3195,7 @@ connection_exit_begin_conn(cell_t *cell, circuit_t *circ) if (bcell.flags & BEGIN_FLAG_IPV4_NOT_OK) { tor_free(address); relay_send_end_cell_from_edge(rh.stream_id, circ, - END_STREAM_REASON_EXITPOLICY, NULL); + END_STREAM_REASON_EXITPOLICY, layer_hint); return 0; } } @@ -3211,7 +3218,7 @@ connection_exit_begin_conn(cell_t *cell, circuit_t *circ) n_stream->deliver_window = STREAMWINDOW_START; if (circ->purpose == CIRCUIT_PURPOSE_S_REND_JOINED) { - origin_circuit_t *origin_circ = TO_ORIGIN_CIRCUIT(circ); + tor_assert(origin_circ); log_info(LD_REND,"begin is for rendezvous. configuring stream."); n_stream->base_.address = tor_strdup("(rendezvous)"); n_stream->base_.state = EXIT_CONN_STATE_CONNECTING; @@ -3231,7 +3238,7 @@ connection_exit_begin_conn(cell_t *cell, circuit_t *circ) * the hidden service. */ relay_send_end_cell_from_edge(rh.stream_id, circ, END_STREAM_REASON_DONE, - origin_circ->cpath->prev); + layer_hint); connection_free(TO_CONN(n_stream)); tor_free(address);

1 0

[tor/maint-0.3.0] Bump to 0.2.8.14
by nickm＠torproject.org 08 Jun '17

08 Jun '17

commit 792931d53d26e469ea2e22f63911b1553c053473 Author: Nick Mathewson <nickm(a)torproject.org> Date: Thu Jun 8 09:27:54 2017 -0400 Bump to 0.2.8.14 --- configure.ac | 2 +- contrib/win32build/tor-mingw.nsi.in | 2 +- src/win32/orconfig.h | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/configure.ac b/configure.ac index 9c6d95d..092aa74 100644 --- a/configure.ac +++ b/configure.ac @@ -4,7 +4,7 @@ dnl Copyright (c) 2007-2015, The Tor Project, Inc. dnl See LICENSE for licensing information AC_PREREQ([2.63]) -AC_INIT([tor],[0.2.8.13]) +AC_INIT([tor],[0.2.8.14]) AC_CONFIG_SRCDIR([src/or/main.c]) AC_CONFIG_MACRO_DIR([m4]) diff --git a/contrib/win32build/tor-mingw.nsi.in b/contrib/win32build/tor-mingw.nsi.in index ae477b8..ba0cf5c 100644 --- a/contrib/win32build/tor-mingw.nsi.in +++ b/contrib/win32build/tor-mingw.nsi.in @@ -8,7 +8,7 @@ !include "LogicLib.nsh" !include "FileFunc.nsh" !insertmacro GetParameters -!define VERSION "0.2.8.13" +!define VERSION "0.2.8.14" !define INSTALLER "tor-${VERSION}-win32.exe" !define WEBSITE "https://www.torproject.org/" !define LICENSE "LICENSE" diff --git a/src/win32/orconfig.h b/src/win32/orconfig.h index b61f59f..41ce26e 100644 --- a/src/win32/orconfig.h +++ b/src/win32/orconfig.h @@ -229,7 +229,7 @@ #define USING_TWOS_COMPLEMENT /* Version number of package */ -#define VERSION "0.2.8.13" +#define VERSION "0.2.8.14"

1 0

[tor/maint-0.3.0] Bump to 0.2.4.29
by nickm＠torproject.org 08 Jun '17

08 Jun '17

commit 8e439a66f3846b65a16b62936ad1d35dbf902e9d Author: Nick Mathewson <nickm(a)torproject.org> Date: Thu Jun 8 09:25:31 2017 -0400 Bump to 0.2.4.29 --- configure.ac | 2 +- contrib/tor-mingw.nsi.in | 2 +- src/win32/orconfig.h | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/configure.ac b/configure.ac index 8e70722..6b4d009 100644 --- a/configure.ac +++ b/configure.ac @@ -3,7 +3,7 @@ dnl Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson dnl Copyright (c) 2007-2013, The Tor Project, Inc. dnl See LICENSE for licensing information -AC_INIT([tor],[0.2.4.28]) +AC_INIT([tor],[0.2.4.29]) AC_CONFIG_SRCDIR([src/or/main.c]) AC_CONFIG_MACRO_DIR([m4]) AM_INIT_AUTOMAKE diff --git a/contrib/tor-mingw.nsi.in b/contrib/tor-mingw.nsi.in index da24244..4e00cb7 100644 --- a/contrib/tor-mingw.nsi.in +++ b/contrib/tor-mingw.nsi.in @@ -8,7 +8,7 @@ !include "LogicLib.nsh" !include "FileFunc.nsh" !insertmacro GetParameters -!define VERSION "0.2.4.28" +!define VERSION "0.2.4.29" !define INSTALLER "tor-${VERSION}-win32.exe" !define WEBSITE "https://www.torproject.org/" !define LICENSE "LICENSE" diff --git a/src/win32/orconfig.h b/src/win32/orconfig.h index cca8ad0..5468455 100644 --- a/src/win32/orconfig.h +++ b/src/win32/orconfig.h @@ -241,7 +241,7 @@ #define USING_TWOS_COMPLEMENT /* Version number of package */ -#define VERSION "0.2.4.28" +#define VERSION "0.2.4.29"

1 0

[tor/master] Merge branch 'maint-0.3.0'
by nickm＠torproject.org 08 Jun '17

08 Jun '17

commit 9acca040257caf5894126e8da3df7226f6dcd480 Merge: 5955b63 0c46dc8 Author: Nick Mathewson <nickm(a)torproject.org> Date: Thu Jun 8 09:17:32 2017 -0400 Merge branch 'maint-0.3.0' changes/trove-2017-004 | 8 ++++++++ src/or/connection_edge.c | 21 ++++++++++++++------- 2 files changed, 22 insertions(+), 7 deletions(-)

1 0

[tor/master] Another changes fix.
by nickm＠torproject.org 08 Jun '17

08 Jun '17

commit eb5d05f696a2de7572427ae55c35816e01796efc Author: Nick Mathewson <nickm(a)torproject.org> Date: Thu Jun 8 09:20:53 2017 -0400 Another changes fix. --- changes/trove-2017-004 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/changes/trove-2017-004 b/changes/trove-2017-004 index aa90145..eb0789d 100644 --- a/changes/trove-2017-004 +++ b/changes/trove-2017-004 @@ -1,8 +1,8 @@ o Major bugfixes (hidden service, relay, security): - - Fix an assertion failure when an hidden service handles a + - Fix an assertion failure when a hidden service handles a malformed BEGIN cell. This bug resulted in the service crashing triggered by a tor_assert(). Fixes bug 22493, tracked as - TROVE-2017-004 and as CVE-2017-0375; bugfix on tor-0.3.0.1-alpha. + TROVE-2017-004 and as CVE-2017-0375; bugfix on 0.3.0.1-alpha. Found by armadev.

1 0

[tor/master] Merge branch 'maint-0.3.0'
by nickm＠torproject.org 08 Jun '17

08 Jun '17

commit 83135d75a3d87e4fd5f163aecb742180c01d9d0e Merge: 9acca04 53011e3 Author: Nick Mathewson <nickm(a)torproject.org> Date: Thu Jun 8 09:21:15 2017 -0400 Merge branch 'maint-0.3.0' changes/trove-2017-004 | 4 ++-- changes/trove-2017-005 | 7 +++++++ src/or/relay.c | 3 ++- 3 files changed, 11 insertions(+), 3 deletions(-)

1 0

[tor/master] TROVE-2017-005: Fix assertion failure in connection_edge_process_relay_cell
by nickm＠torproject.org 08 Jun '17

08 Jun '17

commit 56a7c5bc15e0447203a491c1ee37de9939ad1dcd Author: David Goulet <dgoulet(a)torproject.org> Date: Mon Jun 5 11:11:42 2017 -0400 TROVE-2017-005: Fix assertion failure in connection_edge_process_relay_cell On an hidden service rendezvous circuit, a BEGIN_DIR could be sent (maliciously) which would trigger a tor_assert() because connection_edge_process_relay_cell() thought that the circuit is an or_circuit_t but is an origin circuit in reality. Fixes #22494 Reported-by: Roger Dingledine <arma(a)torproject.org> Signed-off-by: David Goulet <dgoulet(a)torproject.org> --- changes/trove-2017-005 | 7 +++++++ src/or/relay.c | 3 ++- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/changes/trove-2017-005 b/changes/trove-2017-005 new file mode 100644 index 0000000..cebb013 --- /dev/null +++ b/changes/trove-2017-005 @@ -0,0 +1,7 @@ + o Major bugfixes (hidden service, relay, security): + - Fix an assertion failure caused by receiving a BEGIN_DIR cell on + a hidden service rendezvous circuit. Fixes bug 22494, tracked as + TROVE-2017-005 and CVE-2017-0376; bugfix on 0.2.2.1-alpha. Found + by armadev. + + diff --git a/src/or/relay.c b/src/or/relay.c index 7f06c6e..59b79f9 100644 --- a/src/or/relay.c +++ b/src/or/relay.c @@ -1297,7 +1297,8 @@ connection_edge_process_relay_cell(cell_t *cell, circuit_t *circ, "Begin cell for known stream. Dropping."); return 0; } - if (rh.command == RELAY_COMMAND_BEGIN_DIR) { + if (rh.command == RELAY_COMMAND_BEGIN_DIR && + circ->purpose != CIRCUIT_PURPOSE_S_REND_JOINED) { /* Assign this circuit and its app-ward OR connection a unique ID, * so that we can measure download times. The local edge and dir * connection will be assigned the same ID when they are created

1 0

[tor/maint-0.2.9] TROVE-2017-005: Fix assertion failure in connection_edge_process_relay_cell
by nickm＠torproject.org 08 Jun '17

08 Jun '17

commit 56a7c5bc15e0447203a491c1ee37de9939ad1dcd Author: David Goulet <dgoulet(a)torproject.org> Date: Mon Jun 5 11:11:42 2017 -0400 TROVE-2017-005: Fix assertion failure in connection_edge_process_relay_cell On an hidden service rendezvous circuit, a BEGIN_DIR could be sent (maliciously) which would trigger a tor_assert() because connection_edge_process_relay_cell() thought that the circuit is an or_circuit_t but is an origin circuit in reality. Fixes #22494 Reported-by: Roger Dingledine <arma(a)torproject.org> Signed-off-by: David Goulet <dgoulet(a)torproject.org> --- changes/trove-2017-005 | 7 +++++++ src/or/relay.c | 3 ++- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/changes/trove-2017-005 b/changes/trove-2017-005 new file mode 100644 index 0000000..cebb013 --- /dev/null +++ b/changes/trove-2017-005 @@ -0,0 +1,7 @@ + o Major bugfixes (hidden service, relay, security): + - Fix an assertion failure caused by receiving a BEGIN_DIR cell on + a hidden service rendezvous circuit. Fixes bug 22494, tracked as + TROVE-2017-005 and CVE-2017-0376; bugfix on 0.2.2.1-alpha. Found + by armadev. + + diff --git a/src/or/relay.c b/src/or/relay.c index 7f06c6e..59b79f9 100644 --- a/src/or/relay.c +++ b/src/or/relay.c @@ -1297,7 +1297,8 @@ connection_edge_process_relay_cell(cell_t *cell, circuit_t *circ, "Begin cell for known stream. Dropping."); return 0; } - if (rh.command == RELAY_COMMAND_BEGIN_DIR) { + if (rh.command == RELAY_COMMAND_BEGIN_DIR && + circ->purpose != CIRCUIT_PURPOSE_S_REND_JOINED) { /* Assign this circuit and its app-ward OR connection a unique ID, * so that we can measure download times. The local edge and dir * connection will be assigned the same ID when they are created

1 0

[tor/maint-0.2.9] Merge branch 'maint-0.2.6' into maint-0.2.7-redux
by nickm＠torproject.org 08 Jun '17

08 Jun '17

commit 4915d9c5a7fc8db2497258a293137426cbd0d665 Merge: 2efe027 b796ad0 Author: Nick Mathewson <nickm(a)torproject.org> Date: Thu Jun 8 09:28:54 2017 -0400 Merge branch 'maint-0.2.6' into maint-0.2.7-redux "ours" merge to avoid version bump.

1 0

[tor/maint-0.3.0] TROVE-2017-005: Fix assertion failure in connection_edge_process_relay_cell
by nickm＠torproject.org 08 Jun '17

08 Jun '17

commit 56a7c5bc15e0447203a491c1ee37de9939ad1dcd Author: David Goulet <dgoulet(a)torproject.org> Date: Mon Jun 5 11:11:42 2017 -0400 TROVE-2017-005: Fix assertion failure in connection_edge_process_relay_cell On an hidden service rendezvous circuit, a BEGIN_DIR could be sent (maliciously) which would trigger a tor_assert() because connection_edge_process_relay_cell() thought that the circuit is an or_circuit_t but is an origin circuit in reality. Fixes #22494 Reported-by: Roger Dingledine <arma(a)torproject.org> Signed-off-by: David Goulet <dgoulet(a)torproject.org> --- changes/trove-2017-005 | 7 +++++++ src/or/relay.c | 3 ++- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/changes/trove-2017-005 b/changes/trove-2017-005 new file mode 100644 index 0000000..cebb013 --- /dev/null +++ b/changes/trove-2017-005 @@ -0,0 +1,7 @@ + o Major bugfixes (hidden service, relay, security): + - Fix an assertion failure caused by receiving a BEGIN_DIR cell on + a hidden service rendezvous circuit. Fixes bug 22494, tracked as + TROVE-2017-005 and CVE-2017-0376; bugfix on 0.2.2.1-alpha. Found + by armadev. + + diff --git a/src/or/relay.c b/src/or/relay.c index 7f06c6e..59b79f9 100644 --- a/src/or/relay.c +++ b/src/or/relay.c @@ -1297,7 +1297,8 @@ connection_edge_process_relay_cell(cell_t *cell, circuit_t *circ, "Begin cell for known stream. Dropping."); return 0; } - if (rh.command == RELAY_COMMAND_BEGIN_DIR) { + if (rh.command == RELAY_COMMAND_BEGIN_DIR && + circ->purpose != CIRCUIT_PURPOSE_S_REND_JOINED) { /* Assign this circuit and its app-ward OR connection a unique ID, * so that we can measure download times. The local edge and dir * connection will be assigned the same ID when they are created

1 0