]> git.ipfire.org Git - thirdparty/tor.git/commitdiff
projects / thirdparty / tor.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: b355ddb)
Detect bug 6252 (unexpected sendme cell)
authorRoger Dingledine <arma@torproject.org>
Thu, 28 Jun 2012 18:00:01 +0000 (14:00 -0400)
committerNick Mathewson <nickm@torproject.org>
Wed, 18 Jul 2012 14:23:04 +0000 (10:23 -0400)
I only check on circuits, not streams, since bloating your stream
window past the initial circuit window can't help you much.

Also, I compare to CIRCWINDOW_START_MAX so we don't have surprising
races if we lower CIRCWINDOW_START for an experiment.

changes/bug6252 [new file with mode: 0644] patch | blob
src/or/relay.c patch | blob | blame | history

diff --git a/changes/bug6252 b/changes/bug6252
new file mode 100644 (file)
index 0000000..0d29203
--- /dev/null
+++ b/changes/bug6252
@@ -0,0 +1,8 @@
+  o Security fixes:
+    - Tear down the circuit if we get an unexpected SENDME cell. Clients
+      could use this trick to make their circuits receive cells faster
+      than our flow control would have allowed, or to gum up the network,
+      or possibly to do targeted memory denial-of-service attacks on
+      entry nodes. Fixes bug 6252. Bugfix on the 54th commit on Tor --
+      from July 2002, before the release of Tor 0.0.0.
+
diff --git a/src/or/relay.c b/src/or/relay.c
index 3e418ea13f8a0b6e2a99033c95ae421dc193cae3..3d261c2650a6cc9394c54fa9bed28a48d6664267 100644 (file)
--- a/src/or/relay.c
+++ b/src/or/relay.c
@@ -1265,11 +1265,25 @@ connection_edge_process_relay_cell(cell_t *cell, circuit_t *circ,
     case RELAY_COMMAND_SENDME:
       if (!rh.stream_id) {
         if (layer_hint) {
+          if (layer_hint->package_window + CIRCWINDOW_INCREMENT >
+                CIRCWINDOW_START_MAX) {
+            log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
+                   "Bug/attack: unexpected sendme cell from exit relay. "
+                   "Closing circ.");
+            return -END_CIRC_REASON_TORPROTOCOL;
+          }
           layer_hint->package_window += CIRCWINDOW_INCREMENT;
           log_debug(LD_APP,"circ-level sendme at origin, packagewindow %d.",
                     layer_hint->package_window);
           circuit_resume_edge_reading(circ, layer_hint);
         } else {
+          if (circ->package_window + CIRCWINDOW_INCREMENT >
+                CIRCWINDOW_START_MAX) {
+            log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
+                   "Bug/attack: unexpected sendme cell from client. "
+                   "Closing circ.");
+            return -END_CIRC_REASON_TORPROTOCOL;
+          }
           circ->package_window += CIRCWINDOW_INCREMENT;
           log_debug(LD_APP,
                     "circ-level sendme at non-origin, packagewindow %d.",
Mirror of https://git.torproject.org/tor.git