From cca6198c777dba463aeb4a8fba6a953cde9576a8 Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Tue, 10 Jun 2014 11:11:47 -0400 Subject: Avoid illegal read off end of an array in prune_v2_cipher_list This function is supposed to construct a list of all the ciphers in the "v2 link protocol cipher list" that are supported by Tor's openssl. It does this by invoking ssl23_get_cipher_by_char on each two-byte ciphersuite ID to see which ones give a match. But when ssl23_get_cipher_by_char cannot find a match for a two-byte SSL3/TLS ciphersuite ID, it checks to see whether it has a match for a three-byte SSL2 ciphersuite ID. This was causing a read off the end of the 'cipherid' array. This was probably harmless in practice, but we shouldn't be having any uninitialized reads. (Using ssl23_get_cipher_by_char in this way is a kludge, but then again the entire existence of the v2 link protocol is kind of a kludge. Once Tor 0.2.2 clients are all gone, we can drop this code entirely.) Found by starlight. Fix on 0.2.4.8-alpha. Fixes bug 12227. --- changes/bug12227 | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 changes/bug12227 (limited to 'changes') diff --git a/changes/bug12227 b/changes/bug12227 new file mode 100644 index 000000000..d8b5d08a5 --- /dev/null +++ b/changes/bug12227 @@ -0,0 +1,5 @@ + o Minor bugfixes: + - Avoid an illegal read from stack when initializing the TLS + module using a version of OpenSSL without all of the ciphers + used by the v2 link handshake. Fixes bug 12227; bugfix on + 0.2.4.8-alpha. Found by "starlight". -- cgit v1.2.3