diff options
| -rw-r--r-- | changes/link_negotiation_assert | 6 | ||||
| -rw-r--r-- | src/or/channeltls.c | 9 |
2 files changed, 15 insertions, 0 deletions
diff --git a/changes/link_negotiation_assert b/changes/link_negotiation_assert new file mode 100644 index 000000000..398a54557 --- /dev/null +++ b/changes/link_negotiation_assert @@ -0,0 +1,6 @@ + o Major bugfixs (security): + - Fix a group of remotely triggerable assertion failures related to + incorrect link protocol negotiation. Found, diagnosed, and fixed + by "some guy from France." Fix for CVE-2012-2250; bugfix on + 0.2.3.6-alpha. + diff --git a/src/or/channeltls.c b/src/or/channeltls.c index 4e3c20ab7..d094d15af 100644 --- a/src/or/channeltls.c +++ b/src/or/channeltls.c @@ -1229,6 +1229,15 @@ channel_tls_process_versions_cell(var_cell_t *cell, channel_tls_t *chan) "handshake. Closing connection."); connection_or_close_for_error(chan->conn, 0); return; + } else if (highest_supported_version != 2 && + chan->conn->base_.state == OR_CONN_STATE_OR_HANDSHAKING_V2) { + /* XXXX This should eventually be a log_protocol_warn */ + log_fn(LOG_WARN, LD_OR, + "Negotiated link with non-2 protocol after doing a v2 TLS " + "handshake with %s. Closing connection.", + fmt_addr(&chan->conn->base_.addr)); + connection_or_close_for_error(chan->conn, 0); + return; } chan->conn->link_proto = highest_supported_version; |