commit 758428dd32128874cefacc92ef63c1b5bc9a656e Author: Nick Mathewson nickm@torproject.org Date: Tue Oct 23 22:58:38 2012 -0400

Fix a remotely triggerable assertion failure (CVE-2012-2250)

If we completed the handshake for the v2 link protocol but wound up negotiating the wong protocol version, we'd become so confused about what part of the handshake we were in that we'd promptly die with an assertion.

This is a fix for CVE-2012-2250; it's a bugfix on 0.2.3.6-alpha. All servers running that version or later should really upgrade.

Bug and fix from "some guy from France." I tweaked his code slightly to make it log the IP of the offending node. --- changes/link_negotiation_assert | 6 ++++++ src/or/command.c | 9 +++++++++ 2 files changed, 15 insertions(+), 0 deletions(-)

diff --git a/changes/link_negotiation_assert b/changes/link_negotiation_assert new file mode 100644 index 0000000..398a545 --- /dev/null +++ b/changes/link_negotiation_assert @@ -0,0 +1,6 @@ + o Major bugfixs (security): + - Fix a group of remotely triggerable assertion failures related to + incorrect link protocol negotiation. Found, diagnosed, and fixed + by "some guy from France." Fix for CVE-2012-2250; bugfix on + 0.2.3.6-alpha. + diff --git a/src/or/command.c b/src/or/command.c index 975af04..d935b5b 100644 --- a/src/or/command.c +++ b/src/or/command.c @@ -719,6 +719,15 @@ command_process_versions_cell(var_cell_t *cell, or_connection_t *conn) "handshake. Closing connection."); connection_mark_for_close(TO_CONN(conn)); return; + } else if (highest_supported_version != 2 && + conn->_base.state == OR_CONN_STATE_OR_HANDSHAKING_V2) { + /* XXXX This should eventually be a log_protocol_warn */ + log_fn(LOG_WARN, LD_OR, + "Negotiated link with non-2 protocol after doing a v2 TLS " + "handshake with %s. Closing connection.", + fmt_addr(&conn->_base.addr)); + connection_mark_for_close(TO_CONN(conn)); + return; }

conn->link_proto = highest_supported_version;