Fix suggested by Nick Mathewson.
upgrade. Fixes CVE-2011-2768. Bugfix on FIXME; found by
frosty_un.
+ - Don't use any OR connection on which we have received a
+ CREATE_FAST cell to satisfy an EXTEND request. Previously, we
+ would not consider whether a connection appears to be from a
+ client or bridge when deciding whether to use that connection to
+ satisfy an EXTEND request. Mitigates CVE-2011-2768, by
+ preventing an attacker from determining whether an unpatched
+ client is connected to a patched relay. Bugfix on FIXME; found
+ by frosty_un.
+
* a CPU worker. */
char keys[CPATH_KEY_MATERIAL_LEN];
char reply[DIGEST_LEN*2];
+
tor_assert(cell->command == CELL_CREATE_FAST);
+
+ /* Make sure we never try to use the OR connection on which we
+ * received this cell to satisfy an EXTEND request, */
+ conn->is_connection_with_client = 1;
+
if (fast_server_handshake(cell->payload, (uint8_t*)reply,
(uint8_t*)keys, sizeof(keys))<0) {
log_warn(LD_OR,"Failed to generate key material. Closing.");
tor_assert(tor_memeq(conn->identity_digest, digest, DIGEST_LEN));
if (conn->_base.marked_for_close)
continue;
+ /* Never return a connection on which the other end appears to be
+ * a client. */
+ if (conn->is_connection_with_client) {
+ continue;
+ }
/* Never return a non-open connection. */
if (conn->_base.state != OR_CONN_STATE_OPEN) {
/* If the address matches, don't launch a new connection for this
* because the connection is too old, or because there's a better one, etc.
*/
unsigned int is_bad_for_new_circs:1;
+ /** True iff we have decided that the other end of this connection
+ * is a client. Connections with this flag set should never be used
+ * to satisfy an EXTEND request. */
+ unsigned int is_connection_with_client:1;
uint8_t link_proto; /**< What protocol version are we using? 0 for
* "none negotiated yet." */
circid_t next_circ_id; /**< Which circ_id do we try to use next on
projects / thirdparty / tor.git / commitdiff
