Nick Mathewson [Mon, 14 Jan 2013 19:02:13 +0000 (14:02 -0500)]
Reject create/begin/etc cells with {circ,stream}ID 0.
Otherwise, it's possible to create streams or circuits with these
bogus IDs, leading to orphaned circuits or streams, or to ones that
can cause bandwidth DOS problems.
Nick Mathewson [Wed, 7 Nov 2012 21:09:58 +0000 (16:09 -0500)]
Add and use and unlikely-to-be-eliminated memwipe()
Apparently some compilers like to eliminate memset() operations on
data that's about to go out-of-scope. I've gone with the safest
possible replacement, which might be a bit slow. I don't think this
is critical path in any way that will affect performance, but if it
is, we can work on that in 0.2.4.
Nick Mathewson [Wed, 24 Oct 2012 02:58:38 +0000 (22:58 -0400)]
Fix a remotely triggerable assertion failure (CVE-2012-2250)
If we completed the handshake for the v2 link protocol but wound up
negotiating the wong protocol version, we'd become so confused about
what part of the handshake we were in that we'd promptly die with an
assertion.
This is a fix for CVE-2012-2250; it's a bugfix on 0.2.3.6-alpha.
All servers running that version or later should really upgrade.
Bug and fix from "some guy from France." I tweaked his code slightly
to make it log the IP of the offending node.
Nick Mathewson [Tue, 23 Oct 2012 21:12:37 +0000 (17:12 -0400)]
Fix binary search on lists of 0 or 1 element.
The implementation we added has a tendency to crash with lists of 0 or
one element. That can happen if we get a consensus vote, v2
consensus, consensus, or geoip file with 0 or 1 element. There's a
DOS opportunity there that authorities could exploit against one
another, and which an evil v2 authority could exploit against anything
downloading v2 directory information..
This fix is minimalistic: It just adds a special-case for 0- and
1-element lists. For 0.2.4 (the current alpha series) we'll want a
better patch.
Roger Dingledine [Mon, 22 Oct 2012 19:45:39 +0000 (15:45 -0400)]
Let 0.2.3 clients exit to internal addresses if they want
Clients now consider the ClientRejectInternalAddresses config option
when using a microdescriptor consensus stanza to decide whether
an exit relay would allow exiting to an internal address. Fixes
bug 7190; bugfix on 0.2.3.1-alpha.
Nick Mathewson [Wed, 17 Oct 2012 23:57:27 +0000 (19:57 -0400)]
Disable TLS Session Tickets, which we were apparently getting for free
OpenSSL 1.0.0 added an implementation of TLS session tickets, a
"feature" that let session resumption occur without server-side state
by giving clients an encrypted "ticket" that the client could present
later to get the session going again with the same keys as before.
OpenSSL was giving the keys to decrypt these tickets the lifetime of
the SSL contexts, which would have been terrible for PFS if we had
long-lived SSL contexts. Fortunately, we don't. Still, it's pretty
bad. We should also drop these, since our use of the extension stands
out with our non-use of session cacheing.
Found by nextgens. Bugfix on all versions of Tor when built with
openssl 1.0.0 or later. Fixes bug 7139.
Nick Mathewson [Tue, 16 Oct 2012 16:55:50 +0000 (12:55 -0400)]
Discard extraneous renegotiation attempts in the v3 link protocol
Failure to do so left us open to a remotely triggerable assertion
failure. Fixes CVE-2012-2249; bugfix on 0.2.3.6-alpha. Reported by
"some guy from France".
Nick Mathewson [Fri, 14 Sep 2012 16:37:17 +0000 (12:37 -0400)]
Use file-size-fixup code on cygwin too.
We already had code on windows to fix our file sizes when we're
reading a file in text mode and its size doesn't match the size from
fstat. But that code was only enabled when _WIN32 was defined, and
Cygwin defines __CYGWIN__ instead.
Allow one-hop directory fetching circuits the full "circuit build timeout"
period, rather than just half of it, before failing them and marking
the relay down. This fix should help reduce cases where clients declare
relays (or worse, bridges) unreachable because the TLS handshake takes
a few seconds to complete.
Fixes bug 6743 (one piece of bug 3443); bugfix on 0.2.2.2-alpha, where
we changed the timeout from a static 30 seconds.
Nick Mathewson [Mon, 27 Aug 2012 14:46:17 +0000 (10:46 -0400)]
Downgrade path-bias warning messages to INFO for now.
We've had over two months to fix them, and didn't. Now we need
0.2.3.x stable. Yes, it would be cool to get this working in
0.2.3.x, but not at the expense of delaying every other feature that
_does_ work in 0.2.3.x. We can do a real fix in 0.2.4.
Nick Mathewson [Fri, 17 Aug 2012 20:46:11 +0000 (16:46 -0400)]
When iterating over connections pending DNS, skip marked ones
Failure to do this would lead to double-free cases and similar,
especially when the exit's DNS was broken. See bug 6472 for full
details; this is a fix for 6472.
Nick Mathewson [Fri, 17 Aug 2012 17:49:52 +0000 (13:49 -0400)]
Fix more warnings from openbsd_malloc
Apparently, (void)writev is not enough to suppress the "you are
ignoring the return value!" warnings on Linux. Instead, remove the
whole warning/error logic when compiling openbsd_malloc for Tor: we
can't use it.
Mike Perry [Thu, 16 Aug 2012 02:59:55 +0000 (19:59 -0700)]
Bug 6475: Explicitly track our path bias state.
This is done to avoid spurious warns. Additional log lines are also
added to try to track down the codepaths where we are somehow overcounting
success counts.
Nick Mathewson [Wed, 15 Aug 2012 23:26:53 +0000 (19:26 -0400)]
Fix warnings and 64-bit problems in openbsd-malloc code
The warning fixes are:
- Only define issetugid if it's missing.
- Explicitly ignore the return value of writev.
- Explicitly cast the retval of readlink() to int.
The 64-bit problems are related to just storing a size_t in an int. Not cool! Use a size_t instead.
Fix for bug 6379. Bugfix on 0.2.0.20-rc, which introduced openbsd-malloc.
Nick Mathewson [Wed, 15 Aug 2012 21:49:18 +0000 (17:49 -0400)]
Raise the part of torrc mapaddress handling that knows wildcards
This patch extracts the inner part of config_register_addressmaps --
the part that knows about detecting wildcard addresses addresses --
and makes it into a new function. The new function is deliberately
not moved or reindented, so that the diff is smaller.
Nick Mathewson [Thu, 9 Aug 2012 19:48:43 +0000 (15:48 -0400)]
Don't infer we have a FooPort from the presence of a FooPort line
Thanks to the changes we started making with SocksPort and friends
in 0.2.3.3-alpha, any of our code that did "if (options->Sockport)"
became wrong, since "SocksPort 0" would make that test true whereas
using the default SocksPort value would make it false. (We didn't
actually do "if (options->SockPort)" but we did have tests for
TransPort. When we moved DirPort, ORPort, and ControlPort over to
the same system in 0.2.3.9-alpha, the problem got worse, since our
code is littered with checks for DirPort and ORPort as booleans.
This code renames the current linelist-based FooPort options to
FooPort_lines, and adds new FooPort_set options which get set at
parse-and-validate time on the or_options_t. FooPort_set is true
iff we will actually try to open a listener of the given type. (I
renamed the FooPort options rather than leave them alone so that
every previous user of a FooPort would need to get inspected, and so
that any new code that forgetfully uses FooPort will need fail to
compile.)
Nick Mathewson [Fri, 3 Aug 2012 15:54:11 +0000 (11:54 -0400)]
Try to clarify impact of bug 6537
I don't personally agree that this is likely to be easy to exploit,
and some initial experimention I've done suggests that cache-miss
times are just plain too fast to get useful info out of when they're
mixed up with the rest of Tor's timing noise. Nevertheless, I'm
leaving Robert's initial changelog entry in the git history so that he
can be the voice of reason if I'm wrong. :)
projects / thirdparty / tor.git / log
