[tor-bugs] #6797 [Tor Directory Authority]: dirserv_generate_networkstatus_vote_obj() might dereference NULL

Tor Bug Tracker & Wiki torproject-admin at torproject.org
Mon Sep 10 09:10:50 UTC 2012


#6797: dirserv_generate_networkstatus_vote_obj() might dereference NULL
-------------------------------------+--------------------------------------
 Reporter:  ln5                      |          Owner:  ln5         
     Type:  defect                   |         Status:  needs_review
 Priority:  major                    |      Milestone:              
Component:  Tor Directory Authority  |        Version:              
 Keywords:                           |         Parent:              
   Points:                           |   Actualpoints:              
-------------------------------------+--------------------------------------

Comment(by ln5):

 dirvote_create_microdescriptor() returns NULL if either of

 1. crypto_pk_write_public_key_to_string(ri->onion_pkey, &key, &keylen)
 returns < 0
 2. microdescs_parse_from_string() returns a list with length != 1


 Case 1 happens if either of

 a) BIO_new(BIO_s_mem()) returns != 0
 b) PEM_write_bio_RSAPublicKey(b, env->key) returns != 0

 Case 2 happens if either of

 a) we have produced md text that we cannot parse (tokenize_string() -> !=
 0)
 b) there's more than one (proper) md in the input (no)
 c) bad time in "@last-listed" (no)
 d) invalid exponent in "onion-key" (crypto_pk_public_exponent_ok() -> 0)
 e) illegal nickname in "family" (is_legal_nickname_or_hexdigest() -> 0)


 I can not see how case 1 would be triggered remotely.

 I think that case 2 is possible to trigger if you can get a
 routerinfo_t with an invalid onion-key or nickname into the routerlist
 of a dir auth. That seems tricky though. Routers from "r" lines are
 protected by router_parse_entry_from_string(), using the same
 verification functions as mentioned above.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/6797#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list