--- /dev/null
+ o Major bugfixes (security):
+ - When waiting for a client to renegotiate, don't allow it to add
+ any bytes to the input buffer. This fixes a DoS issue. Fix for
+ bugs 6007 and 5934; bugfix on 0.2.0.20-rc.
+
int
connection_or_process_inbuf(or_connection_t *conn)
{
- int ret;
+ /** Don't let the inbuf of a nonopen OR connection grow beyond this many
+ * bytes: it's either a broken client, a non-Tor client, or a DOS
+ * attempt. */
+#define MAX_OR_INBUF_WHEN_NONOPEN 0
+
+ int ret = 0;
tor_assert(conn);
switch (conn->_base.state) {
case OR_CONN_STATE_OR_HANDSHAKING:
return connection_or_process_cells_from_inbuf(conn);
default:
- return 0; /* don't do anything */
+ break; /* don't do anything */
}
+
+ if (buf_datalen(conn->_base.inbuf) > MAX_OR_INBUF_WHEN_NONOPEN) {
+ log_fn(LOG_PROTOCOL_WARN, LD_NET, "Accumulated too much data (%d bytes) "
+ "on nonopen OR connection %s %s:%u in state %s; closing.",
+ (int)buf_datalen(conn->_base.inbuf),
+ connection_or_nonopen_was_started_here(conn) ? "to" : "from",
+ conn->_base.address, conn->_base.port,
+ conn_state_to_string(conn->_base.type, conn->_base.state));
+ connection_mark_for_close(TO_CONN(conn));
+ ret = -1;
+ }
+
+ return ret;
}
/** When adding cells to an OR connection's outbuf, keep adding until the
projects / thirdparty / tor.git / commitdiff
