]> git.ipfire.org Git - thirdparty/tor.git/commitdiff
projects / thirdparty / tor.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 99ce408)
More tolerance for packaging too-long payloads
authorNick Mathewson <nickm@torproject.org>
Thu, 17 Apr 2025 23:31:36 +0000 (19:31 -0400)
committerNick Mathewson <nickm@torproject.org>
Mon, 5 May 2025 17:07:37 +0000 (13:07 -0400)
(There are _lots_ of places that build a payload that would be long enough
to fit into a V0 cell, then pass it to relay_send_command_from_edge.)

src/core/or/relay.c patch | blob | blame | history

diff --git a/src/core/or/relay.c b/src/core/or/relay.c
index 1f2ef34fdd2bde5f6ff03b7f5f739da101df467a..6965528ff12a08cfbb08f379a7582f27a1d96282 100644 (file)
--- a/src/core/or/relay.c
+++ b/src/core/or/relay.c
@@ -623,8 +623,16 @@ relay_send_command_from_edge_,(streamid_t stream_id, circuit_t *orig_circ,
   {
     relay_cell_fmt_t cell_format = relay_msg_get_format(circ, cpath_layer);
     relay_msg_t msg;
-    tor_assert(payload_len <=
-               relay_cell_max_payload_size(cell_format, relay_command));
+    if (payload_len >
+        relay_cell_max_payload_size(cell_format, relay_command)) {
+      // TODO CGO: Rate-limit this?
+      log_warn(LD_BUG, "Tried to send a command %d of length %d in "
+               "a v%d cell, from %s:%d",
+               (int)relay_command, (int)payload_len, (int)cell_format,
+               filename, lineno);
+      circuit_mark_for_close(circ, END_CIRC_REASON_INTERNAL);
+      return -1;
+    }
 
     msg.relay_cell_proto = cell_format;
     msg.command = relay_command;
@@ -637,7 +645,8 @@ relay_send_command_from_edge_,(streamid_t stream_id, circuit_t *orig_circ,
     msg_body_len = msg.length;
 
     if (relay_msg_encode_cell(cell_format, &msg, &cell) < 0) {
-      // This already gave a BUG warning, so no need to log.
+      // We already called IF_BUG_ONCE in relay_msg_encode_cell.
+      circuit_mark_for_close(circ, END_CIRC_REASON_INTERNAL);
       return -1;
     }
   }
Mirror of https://git.torproject.org/tor.git