commit 49ddd92c115c6943c4602d44f52c22b6f47698e8 Author: Yawning Angel yawning@schwanenlied.me Date: Mon Mar 30 21:53:39 2015 +0000
Validate the RSA key size received when parsing INTRODUCE2 cells.
Fixes bug 15600; reported by skruffy --- changes/bug15600 | 5 +++++ src/or/rendservice.c | 10 ++++++++++ 2 files changed, 15 insertions(+)
diff --git a/changes/bug15600 b/changes/bug15600 new file mode 100644 index 0000000..ee1d6cf --- /dev/null +++ b/changes/bug15600 @@ -0,0 +1,5 @@ + o Major bugfixes (security, hidden service): + - Fix an issue that would allow a malicious client to trigger + an assertion failure and halt a hidden service. Fixes + bug 15600; bugfix on 0.2.1.6-alpha. Reported by "skruffy". + diff --git a/src/or/rendservice.c b/src/or/rendservice.c index 8a4a11e..436f2f4 100644 --- a/src/or/rendservice.c +++ b/src/or/rendservice.c @@ -1810,6 +1810,16 @@ rend_service_parse_intro_for_v2(
goto err; } + if (128 != crypto_pk_keysize(extend_info->onion_key)) { + if (err_msg_out) { + tor_asprintf(err_msg_out, + "invalid onion key size in version %d INTRODUCE%d cell", + intro->version, + (intro->type)); + } + + goto err; + }
ver_specific_len = 7+DIGEST_LEN+2+klen;