Opened 9 years ago

Closed 8 years ago

Last modified 8 years ago

#5645 closed defect (fixed)

rend_mid_rendezvous() encodes rendezvous cookie before checking for proto violation

Reported by: asn Owned by:
Priority: Medium Milestone: Tor: 0.2.3.x-final
Component: Core Tor/Tor Version:
Severity: Keywords: tor-client
Cc: Actual Points:
Parent ID: #5643 Points:
Reviewer: Sponsor:


rend_mid_rendezvous(or_circuit_t *circ, const uint8_t *request,
                    size_t request_len)
  or_circuit_t *rend_circ;
  char hexid[9];

  if (request_len>=4) {
             "Got request for rendezvous from circuit %d to cookie %s.",
             circ->p_circ_id, hexid);

[censored] found this:

rend_mid_rendezvous() fun. why need decode before protocol violation checks.

It doesn't seem exploitable but it would be good to do everything after the proto violation checks are done.

Child Tickets

Change History (6)

comment:1 Changed 8 years ago by asn

Status: newneeds_review

Please see branch bug5645 in

comment:2 Changed 8 years ago by nickm

Status: needs_reviewneeds_revision

I don't think you need the


any more: the code just checked the value of request_len.

Also, needs a changes file.

comment:3 Changed 8 years ago by asn

Status: needs_revisionneeds_review


Please see branch bug5645_take2 in

comment:4 Changed 8 years ago by nickm

Resolution: fixed
Status: needs_reviewclosed

Looks good. Tweaking a little more and merging. Thanks!

comment:5 Changed 8 years ago by nickm

Keywords: tor-client added

comment:6 Changed 8 years ago by nickm

Component: Tor ClientTor
Note: See TracTickets for help on using tickets.