[tor-bugs] #8062 [Tor]: We try to squeeze a two-byte version into a one-byte link_proto
Tor Bug Tracker & Wiki
blackhole at torproject.org
Sun Jan 27 17:31:31 UTC 2013
#8062: We try to squeeze a two-byte version into a one-byte link_proto
--------------------+-------------------------------------------------------
Reporter: arma | Owner:
Type: defect | Status: new
Priority: normal | Milestone: Tor: 0.2.3.x-final
Component: Tor | Version:
Keywords: | Parent:
Points: | Actualpoints:
--------------------+-------------------------------------------------------
{{{
int highest_supported_version = 0;
...
uint16_t v = ntohs(get_uint16(cp));
if (is_or_protocol_version_known(v) && v > highest_supported_version)
highest_supported_version = v;
...
chan->conn->link_proto = highest_supported_version;
}}}
But
{{{
uint8_t link_proto; /**< What protocol version are we using? 0 for
* "none negotiated yet." */
}}}
So these checks in channel_tls_process_versions_cell():
{{{
if (!highest_supported_version) {
...
} else if (highest_supported_version == 1) {
...
} else if (highest_supported_version < 3 &&
chan->conn->base_.state == OR_CONN_STATE_OR_HANDSHAKING_V3)
{
...
} else if (highest_supported_version != 2 &&
chan->conn->base_.state == OR_CONN_STATE_OR_HANDSHAKING_V2) {
}}}
can all be bypassed by sending 0x0101 rather than 0x0001, etc.
Reported by bob from irc. He says there are triggerable asserts, but he
didn't clarify which one.
See also #8059 for a nearby bug.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/8062>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list