Out-of-bounds read in INTRODUCE2 with client authorization
|Reported by:||special||Owned by:|
|Severity:||Normal||Keywords:||tor-hs, 025-backport, 026-backport, 2016-bug-retrospective|
An authorized hidden service client can cause an out-of-bounds read on a service with authorization enabled, of at most 15 bytes off the end of a malloc'd segment. The client must have a valid authorization cookie. There is no disclosure of uninitialized memory, except in an info-level log message, but there is a small chance of a crash.
In rend_check_authorization, the descriptor_cookie from the INTRODUCE2 cell is assumed to be REND_DESC_COOKIE_LEN bytes. This is checked earlier when the auth_type is 1 or 2, but not for any other non-zero auth_type.
There is a warning about unknown auth types in rend_service_validate_intro_late, but no error.
Change History (7)
comment:4 Changed 2 years ago by nickm
- Milestone changed from Tor: 0.2.7.x-final to Tor: 0.2.6.x-final
comment:5 Changed 2 years ago by nickm
- Resolution set to fixed
- Status changed from needs_review to closed