[tor-bugs] #5645 [Tor Client]: rend_mid_rendezvous() encodes rendezvous cookie before checking for proto violation
Tor Bug Tracker & Wiki
torproject-admin at torproject.org
Wed Apr 18 21:55:22 UTC 2012
#5645: rend_mid_rendezvous() encodes rendezvous cookie before checking for proto
violation
------------------------+---------------------------------------------------
Reporter: asn | Owner:
Type: defect | Status: new
Priority: normal | Milestone: Tor: 0.2.3.x-final
Component: Tor Client | Version:
Keywords: | Parent: #5643
Points: | Actualpoints:
------------------------+---------------------------------------------------
{{{
rend_mid_rendezvous(or_circuit_t *circ, const uint8_t *request,
size_t request_len)
{
or_circuit_t *rend_circ;
char hexid[9];
int reason = END_CIRC_REASON_INTERNAL;
base16_encode(hexid,9,(char*)request,request_len<4?request_len:4);
if (request_len>=4) {
log_info(LD_REND,
"Got request for rendezvous from circuit %d to cookie %s.",
circ->p_circ_id, hexid);
}
}}}
[censored] found this:
{{{
rend_mid_rendezvous() fun. why need decode before protocol violation
checks.
}}}
It doesn't seem exploitable but it would be good to do everything after
the proto violation checks are done.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/5645>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list