[tor-bugs] #4367 [Tor Relay]: command_process_auth_challenge_cell() mishandles lack of expected auth type
Tor Bug Tracker & Wiki
torproject-admin at torproject.org
Tue Nov 1 06:10:46 UTC 2011
#4367: command_process_auth_challenge_cell() mishandles lack of expected auth type
-----------------------+----------------------------------------------------
Reporter: arma | Owner:
Type: defect | Status: new
Priority: normal | Milestone: Tor: 0.2.3.x-final
Component: Tor Relay | Version:
Keywords: | Parent:
Points: | Actualpoints:
-----------------------+----------------------------------------------------
In command_process_auth_challenge_cell() we start with
{{{
use_type = -1;
}}}
Then we do
{{{
for (i=0; i < n_types; ++i, cp += 2) {
uint16_t authtype = ntohs(get_uint16(cp));
if (authtype == AUTHTYPE_RSA_SHA256_TLSSECRET)
use_type = authtype;
}
}}}
Then we check
{{{
if (use_type && public_server_mode(get_options())) {
}}}
So if we didn't find any authtypes of 1 offered, use_type will remain -1,
which is true, so we'll call connection_or_send_authenticate_cell(), which
will fail, and we'll mark the conn.
It's not so bad since connection_or_send_authenticate_cell() just does a
log_warn at LD_BUG and returns.
But it's not entirely harmless, since in the far future if we stop listing
authtype 1, these tors will close the conn when they ought to (at least
based on what the code is trying to do; it's up for grabs if this is
actually the right behavior) be just not authenticating.
I think we can fix just by initting use_type to 0.
Reported and diagnosed by frosty_un.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/4367>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list