Don't use any OR connection which sent us a CREATE_FAST cell for an EXTEND

Fix suggested by Nick Mathewson.

4 files changed, 24 insertions, 0 deletions

diff --git a/changes/issue-2011-10-19L b/changes/issue-2011-10-19L
index 972823eeea..1fefd7267e 100644
--- a/changes/issue-2011-10-19L
+++ b/changes/issue-2011-10-19L
@@ -10,3 +10,12 @@
       upgrade.  Fixes CVE-2011-2768.  Bugfix on FIXME; found by
       frosty_un.
 
+    - Don't use any OR connection on which we have received a
+      CREATE_FAST cell to satisfy an EXTEND request.  Previously, we
+      would not consider whether a connection appears to be from a
+      client or bridge when deciding whether to use that connection to
+      satisfy an EXTEND request.  Mitigates CVE-2011-2768, by
+      preventing an attacker from determining whether an unpatched
+      client is connected to a patched relay.  Bugfix on FIXME; found
+      by frosty_un.
+
diff --git a/src/or/command.c b/src/or/command.c
index 61b898cead..a17a3a6025 100644
--- a/src/or/command.c
+++ b/src/or/command.c
@@ -285,7 +285,13 @@ command_process_create_cell(cell_t *cell, or_connection_t *conn)
      * a CPU worker. */
     char keys[CPATH_KEY_MATERIAL_LEN];
     char reply[DIGEST_LEN*2];
+
     tor_assert(cell->command == CELL_CREATE_FAST);
+
+    /* Make sure we never try to use the OR connection on which we
+     * received this cell to satisfy an EXTEND request,  */
+    conn->is_connection_with_client = 1;
+
     if (fast_server_handshake(cell->payload, (uint8_t*)reply,
                               (uint8_t*)keys, sizeof(keys))<0) {
       log_warn(LD_OR,"Failed to generate key material. Closing.");
diff --git a/src/or/connection_or.c b/src/or/connection_or.c
index 95cc02e34f..35f6da9214 100644
--- a/src/or/connection_or.c
+++ b/src/or/connection_or.c
@@ -519,6 +519,11 @@ connection_or_get_for_extend(const char *digest,
     tor_assert(tor_memeq(conn->identity_digest, digest, DIGEST_LEN));
     if (conn->_base.marked_for_close)
       continue;
+    /* Never return a connection on which the other end appears to be
+     * a client. */
+    if (conn->is_connection_with_client) {
+      continue;
+    }
     /* Never return a non-open connection. */
     if (conn->_base.state != OR_CONN_STATE_OPEN) {
       /* If the address matches, don't launch a new connection for this
diff --git a/src/or/or.h b/src/or/or.h
index 4105ff42eb..72e4c639ad 100644
--- a/src/or/or.h
+++ b/src/or/or.h
@@ -1031,6 +1031,10 @@ typedef struct or_connection_t {
    * because the connection is too old, or because there's a better one, etc.
    */
   unsigned int is_bad_for_new_circs:1;
+  /** True iff we have decided that the other end of this connection
+   * is a client.  Connections with this flag set should never be used
+   * to satisfy an EXTEND request.  */
+  unsigned int is_connection_with_client:1;
   uint8_t link_proto; /**< What protocol version are we using? 0 for
                        * "none negotiated yet." */
   circid_t next_circ_id; /**< Which circ_id do we try to use next on