Opened 5 years ago

Closed 4 years ago

#17404 closed defect (fixed)

dn_indicates_v3_cert can call memcmp up to 4 chars before the beginning of a string.

Reported by: nickm Owned by:
Priority: Very High Milestone: Tor: 0.2.4.x-final
Component: Core Tor/Tor Version:
Severity: Major Keywords: 024-backport, 026-backport, 025-backport, 2016-bug-retrospective
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


dn_indicates_v3_cert() does this:

  len = ASN1_STRING_to_UTF8(&s, str);
  if (len < 0) {
    return 0;
  r = fast_memneq(s + len - 4, ".net", 4);

Note that if the len < 4, we read bytes from a malloc header, which isn't a good thing at all.

In practice, I don't think this should cause crashes or security failures, unless somebody is using a very weird malloc, or unless somebody has a hardened installation that detects this kind of invalid check.

Still, this is a must-fix.

Child Tickets

Change History (7)

comment:1 Changed 5 years ago by nickm

Status: newneeds_review

My branch bug17404_024 fixes this problem in 0.2.4 and later.

comment:2 Changed 5 years ago by nickm

[Merged to 0.2.7 and later; should consider for 0.2.4, 0.2.5, 0.2.6 backport]

comment:3 Changed 5 years ago by ln5

I spot a typo in the changelog entry, but that's all.

"unsual hardening"

comment:4 Changed 5 years ago by nickm

Milestone: Tor: 0.2.7.x-finalTor: 0.2.6.x-final

comment:5 Changed 5 years ago by nickm

Keywords: 2016-bug-retrospective added

Marking these tickets (based on severity and hand-review) for inclusion in 2016 bug retrospective

comment:6 Changed 4 years ago by cypherpunks

Is this ticket still being considered for a backport or can it be closed?

comment:7 Changed 4 years ago by nickm

Milestone: Tor: 0.2.6.x-finalTor: 0.2.4.x-final
Resolution: fixed
Status: needs_reviewclosed

Backported to 0.2.4.

Note: See TracTickets for help on using tickets.