commit f9f2dd919f81a6bf4a81656cc290a09d481e0533
parent b316076f119d4f2f97c5191abadac964ba882db0
Author: Nick Mathewson <nickm@torproject.org>
Date: Thu, 11 Dec 2025 16:59:08 -0500
Check for small payload_len when parsing extend cells.
Without this code, if V1 relay cell format were in use, and the relay message
length were set to 0 or 1, then an EXTEND cell could be read beyond the end of
the relay cell payload. This could extend beyond the underlying cell body if
the V1 relay cell format had been negotiated. This would typically lead either
to a crash or to a rejected circuit.
Closes bug 41180; bugfix on 0.4.9.3-alpha, when we made the made the maximum
size of a relay payload variable.
0.4.8.x and earlier can similarly mis-handle low payload values, but the
bug there cannot be used to read uninitialized data.
Diffstat:
2 files changed, 9 insertions(+), 0 deletions(-)
diff --git a/changes/bug41180 b/changes/bug41180
@@ -0,0 +1,5 @@
+ o Major bugfixes (security):
+ - Avoid an out-of-bounds read error that could occur with
+ V1-formatted cells on Tor 0.4.9.3-alpha or later.
+ Fixes bug 41180; bugfix on 0.4.9.3-alpha.
+ This is tracked as TROVE-2025-016.
diff --git a/src/core/or/onion.c b/src/core/or/onion.c
@@ -488,6 +488,10 @@ extended_cell_parse(extended_cell_t *cell_out,
break;
case RELAY_COMMAND_EXTENDED2:
{
+ if (payload_len < 2) {
+ // Prevent underflow below.
+ return -1;
+ }
cell_out->cell_type = RELAY_COMMAND_EXTENDED2;
cell_out->created_cell.cell_type = CELL_CREATED2;
cell_out->created_cell.handshake_len = ntohs(get_uint16(payload));
