Use local descriptor object to exclude self in path selection

TROVE-2017-12. Severity: Medium

When choosing a random node for a circuit, directly use our router
descriptor to exclude ourself instead of the one in the global
descriptor list. That list could be empty because tor could be
downloading them which could lead to not excluding ourself.

Closes #21534

diff --git a/changes/trove-2017-012-part1 b/changes/trove-2017-012-part1
new file mode 100644 (file)
index 0000000..9fccc2c
--- /dev/null
+++ b/changes/trove-2017-012-part1
@@ -0,0 +1,6 @@
+  o Major bugfixes (security, relay):
+    - When running as a relay, make sure that we never build a path through
+      ourselves, even in the case where we have somehow lost the version of
+      our descriptor appearing in the consensus. Fixes part of bug 21534;
+      bugfix on 0.2.0.1-alpha. This issue is also tracked as TROVE-2017-012
+      and CVE-2017-8822.

diff --git a/src/or/routerlist.c b/src/or/routerlist.c
index 07e87724ba1fd92b682b7147725b3b043943192e..3bf1eb8956d9a6dd941a8acb7a0635e3f141c75c 100644 (file)
--- a/src/or/routerlist.c
+++ b/src/or/routerlist.c
@@ -2411,7 +2411,10 @@ router_choose_random_node(smartlist_t *excludedsmartlist,
       });
   }
 
-  if ((r = routerlist_find_my_routerinfo()))
+  /* If the node_t is not found we won't be to exclude ourself but we
+   * won't be able to pick ourself in router_choose_random_node() so
+   * this is fine to at least try with our routerinfo_t object. */
+  if ((r = router_get_my_routerinfo()))
     routerlist_add_node_and_family(excludednodes, r);
 
   router_add_running_nodes_to_smartlist(sl, allow_invalid,