Opened 20 months ago

Closed 5 months ago

#17404 closed defect (fixed)

dn_indicates_v3_cert can call memcmp up to 4 chars before the beginning of a string.

Reported by: nickm Owned by:
Priority: Very High Milestone: Tor: 0.2.4.x-final
Component: Core Tor/Tor Version:
Severity: Major Keywords: 024-backport, 026-backport, 025-backport, 2016-bug-retrospective
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

dn_indicates_v3_cert() does this:

  len = ASN1_STRING_to_UTF8(&s, str);
  if (len < 0) {
    return 0;
  }
  r = fast_memneq(s + len - 4, ".net", 4);

Note that if the len < 4, we read bytes from a malloc header, which isn't a good thing at all.

In practice, I don't think this should cause crashes or security failures, unless somebody is using a very weird malloc, or unless somebody has a hardened installation that detects this kind of invalid check.

Still, this is a must-fix.

Child Tickets

Change History (7)

comment:1 Changed 20 months ago by nickm

  • Status changed from new to needs_review

My branch bug17404_024 fixes this problem in 0.2.4 and later.

comment:2 Changed 20 months ago by nickm

[Merged to 0.2.7 and later; should consider for 0.2.4, 0.2.5, 0.2.6 backport]

comment:3 Changed 20 months ago by ln5

I spot a typo in the changelog entry, but that's all.

"unsual hardening"

comment:4 Changed 19 months ago by nickm

  • Milestone changed from Tor: 0.2.7.x-final to Tor: 0.2.6.x-final

comment:5 Changed 14 months ago by nickm

  • Keywords 2016-bug-retrospective added

Marking these tickets (based on severity and hand-review) for inclusion in 2016 bug retrospective

comment:6 Changed 6 months ago by cypherpunks

Is this ticket still being considered for a backport or can it be closed?

comment:7 Changed 5 months ago by nickm

  • Milestone changed from Tor: 0.2.6.x-final to Tor: 0.2.4.x-final
  • Resolution set to fixed
  • Status changed from needs_review to closed

Backported to 0.2.4.

Note: See TracTickets for help on using tickets.