[tor-bugs] #34400 [Core Tor/Tor]: control: HSFETCH command fails to validate v2 addresses
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Jun 9 15:52:57 UTC 2020
#34400: control: HSFETCH command fails to validate v2 addresses
-------------------------+-------------------------------------------------
Reporter: dgoulet | Owner: (none)
Type: defect | Status: new
Priority: Medium | Milestone: Tor: 0.4.5.x-final
Component: Core | Version:
Tor/Tor | Keywords: 044-backport 043-backport
Severity: Normal | 042-backport tor-hs tor-control regression
Actual Points: | Parent ID:
Points: 0.1 | Reviewer:
Sponsor: |
-------------------------+-------------------------------------------------
In `handle_control_hsfetch()`:
{{{
} else if (strcmpstart(arg1, v2_str) == 0 &&
rend_valid_descriptor_id(arg1 + v2_str_len) &&
base32_decode(digest, sizeof(digest), arg1 + v2_str_len,
REND_DESC_ID_V2_LEN_BASE32) ==
REND_DESC_ID_V2_LEN_BASE32) {
}}}
The above snippet is how we validate the v2 address for the `HSFETCH`
command. The `base32_decode()` function returns the number of bytes
_decoded_ and thus it should returns on success `sizeof(digest)`, not the
total length of the base32 address (20 vs 32).
Issue was introduced in commit `a517daa56f5848d25ba79617a1a7b82ed2b0a7c0`
meaning since 0.4.1.1-alpha (ticket #28913).
I noticed this because I recently updated the bad HSDirscanner Tor to use
our latest and it broke the scanner.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/34400>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list