[tor-bugs] #5644 [- Select a component]: rend_service_introduce() asserts circuit->rend_data before checking for proto violation

Tor Bug Tracker & Wiki torproject-admin at torproject.org
Wed Apr 18 21:48:48 UTC 2012


#5644: rend_service_introduce() asserts circuit->rend_data before checking for
proto violation
----------------------------------+-----------------------------------------
 Reporter:  asn                   |          Owner:       
     Type:  defect                |         Status:  new  
 Priority:  normal                |      Milestone:       
Component:  - Select a component  |        Version:       
 Keywords:                        |         Parent:  #5643
   Points:                        |   Actualpoints:       
----------------------------------+-----------------------------------------
 {{{
 ...
 #ifndef NON_ANONYMOUS_MODE_ENABLED
   tor_assert(!(circuit->build_state->onehop_tunnel));
 #endif
   tor_assert(circuit->rend_data);

   base32_encode(serviceid, REND_SERVICE_ID_LEN_BASE32+1,
                 circuit->rend_data->rend_pk_digest, REND_SERVICE_ID_LEN);
   log_info(LD_REND, "Received INTRODUCE2 cell for service %s on circ %d.",
            escaped(serviceid), circuit->_base.n_circ_id);

   if (circuit->_base.purpose != CIRCUIT_PURPOSE_S_INTRO) {
     log_warn(LD_PROTOCOL,
              "Got an INTRODUCE2 over a non-introduction circuit %d.",
              circuit->_base.n_circ_id);
     return -1;
   }
 }}}

 A bad exit might be able to exploit this by sending a
 `RELAY_COMMAND_INTRODUCE2` cell to a client (through a
 `CIRCUIT_PURPOSE_C_GENERAL` circuit) and triggering
 `tor_assert(circuit->rend_data);`.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/5644>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list