[tor-commits] [tor/master] Fix a remotely triggerable assertion failure (CVE-2012-2250)

nickm at torproject.org nickm at torproject.org
Thu Oct 25 14:21:33 UTC 2012 

commit c442d85439dd406c846e930dedcd8ed4c780d66e
Author: Nick Mathewson <nickm at torproject.org>
Date:   Tue Oct 23 23:04:35 2012 -0400

    Fix a remotely triggerable assertion failure (CVE-2012-2250)
    
    If we completed the handshake for the v2 link protocol but wound up
    negotiating the wong protocol version, we'd become so confused about
    what part of the handshake we were in that we'd promptly die with an
    assertion.
    
    This is a fix for CVE-2012-2250; it's a bugfix on 0.2.3.6-alpha.
    All servers running that version or later should really upgrade.
    
    Bug and fix from "some guy from France."  I tweaked his code slightly
    to make it log the IP of the offending node, and to forward-port it to
    0.2.4.
---
 changes/link_negotiation_assert |    6 ++++++
 src/or/channeltls.c             |    9 +++++++++
 2 files changed, 15 insertions(+), 0 deletions(-)

diff --git a/changes/link_negotiation_assert b/changes/link_negotiation_assert
new file mode 100644
index 0000000..398a545
--- /dev/null
+++ b/changes/link_negotiation_assert
@@ -0,0 +1,6 @@
+  o Major bugfixs (security):
+    - Fix a group of remotely triggerable assertion failures related to
+      incorrect link protocol negotiation. Found, diagnosed, and fixed
+      by "some guy from France." Fix for CVE-2012-2250; bugfix on
+      0.2.3.6-alpha.
+
diff --git a/src/or/channeltls.c b/src/or/channeltls.c
index 4e3c20a..d094d15 100644
--- a/src/or/channeltls.c
+++ b/src/or/channeltls.c
@@ -1229,6 +1229,15 @@ channel_tls_process_versions_cell(var_cell_t *cell, channel_tls_t *chan)
            "handshake. Closing connection.");
     connection_or_close_for_error(chan->conn, 0);
     return;
+  } else if (highest_supported_version != 2 &&
+             chan->conn->base_.state == OR_CONN_STATE_OR_HANDSHAKING_V2) {
+    /* XXXX This should eventually be a log_protocol_warn */
+    log_fn(LOG_WARN, LD_OR,
+           "Negotiated link with non-2 protocol after doing a v2 TLS "
+           "handshake with %s. Closing connection.",
+           fmt_addr(&chan->conn->base_.addr));
+    connection_or_close_for_error(chan->conn, 0);
+    return;
   }
 
   chan->conn->link_proto = highest_supported_version;

More information about the tor-commits mailing list