Opened 8 years ago

Closed 8 years ago

Last modified 8 years ago

#6797 closed defect (fixed)

dirserv_generate_networkstatus_vote_obj() might dereference NULL

Reported by: ln5 Owned by: ln5
Priority: High Milestone: Tor: 0.2.4.x-final
Component: Core Tor/Tor Version:
Severity: Keywords: tor-auth
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


In dirserv_generate_networkstatus_vote_obj(), if
dirvote_create_microdescriptor() returns NULL, md is NULL but we still
use it.

Thanks to "f. tp." for reporting this bug!

Child Tickets

Change History (6)

comment:1 Changed 8 years ago by ln5

Status: newneeds_review

See branch bug6797 in my public repo.

comment:2 Changed 8 years ago by ln5

dirvote_create_microdescriptor() returns NULL if either of

  1. crypto_pk_write_public_key_to_string(ri->onion_pkey, &key, &keylen) returns < 0
  2. microdescs_parse_from_string() returns a list with length != 1

Case 1 happens if either of

a) BIO_new(BIO_s_mem()) returns != 0
b) PEM_write_bio_RSAPublicKey(b, env->key) returns != 0

Case 2 happens if either of

a) we have produced md text that we cannot parse (tokenize_string() -> != 0)
b) there's more than one (proper) md in the input (no)
c) bad time in "@last-listed" (no)
d) invalid exponent in "onion-key" (crypto_pk_public_exponent_ok() -> 0)
e) illegal nickname in "family" (is_legal_nickname_or_hexdigest() -> 0)

I can not see how case 1 would be triggered remotely.

I think that case 2 is possible to trigger if you can get a
routerinfo_t with an invalid onion-key or nickname into the routerlist
of a dir auth. That seems tricky though. Routers from "r" lines are
protected by router_parse_entry_from_string(), using the same
verification functions as mentioned above.

comment:3 Changed 8 years ago by nickm

Resolution: fixed
Status: needs_reviewclosed

Merged and tweaked the changes file.

comment:4 Changed 8 years ago by nickm

Milestone: Tor: 0.2.4.x-final

comment:5 Changed 8 years ago by nickm

Keywords: tor-auth added

comment:6 Changed 8 years ago by nickm

Component: Tor Directory AuthorityTor
Note: See TracTickets for help on using tickets.