aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--changes/link_negotiation_assert6
-rw-r--r--src/or/channeltls.c9
2 files changed, 15 insertions, 0 deletions
diff --git a/changes/link_negotiation_assert b/changes/link_negotiation_assert
new file mode 100644
index 000000000..398a54557
--- /dev/null
+++ b/changes/link_negotiation_assert
@@ -0,0 +1,6 @@
+ o Major bugfixs (security):
+ - Fix a group of remotely triggerable assertion failures related to
+ incorrect link protocol negotiation. Found, diagnosed, and fixed
+ by "some guy from France." Fix for CVE-2012-2250; bugfix on
+ 0.2.3.6-alpha.
+
diff --git a/src/or/channeltls.c b/src/or/channeltls.c
index 4e3c20ab7..d094d15af 100644
--- a/src/or/channeltls.c
+++ b/src/or/channeltls.c
@@ -1229,6 +1229,15 @@ channel_tls_process_versions_cell(var_cell_t *cell, channel_tls_t *chan)
"handshake. Closing connection.");
connection_or_close_for_error(chan->conn, 0);
return;
+ } else if (highest_supported_version != 2 &&
+ chan->conn->base_.state == OR_CONN_STATE_OR_HANDSHAKING_V2) {
+ /* XXXX This should eventually be a log_protocol_warn */
+ log_fn(LOG_WARN, LD_OR,
+ "Negotiated link with non-2 protocol after doing a v2 TLS "
+ "handshake with %s. Closing connection.",
+ fmt_addr(&chan->conn->base_.addr));
+ connection_or_close_for_error(chan->conn, 0);
+ return;
}
chan->conn->link_proto = highest_supported_version;