diff options
| author | Nick Mathewson <nickm@torproject.org> | 2013-01-15 16:30:07 -0500 |
|---|---|---|
| committer | Nick Mathewson <nickm@torproject.org> | 2013-01-15 16:30:07 -0500 |
| commit | ae15b55173abff1175e0f56759abd29e2870b16c (patch) | |
| tree | c2fb2e4479ccdcf5d85db6b86d00ea16ed8fea71 | |
| parent | 1625cddf3af74643bdeaa31e7684aaa15bf5ea0c (diff) | |
| parent | 4ccf09b1c21a858540453287e58a478a80a598ae (diff) | |
| download | tor-ae15b55173abff1175e0f56759abd29e2870b16c.tar.gz tor-ae15b55173abff1175e0f56759abd29e2870b16c.zip | |
Merge branch 'bug7889_023' into maint-0.2.3
| -rw-r--r-- | changes/bug7889 | 8 | ||||
| -rw-r--r-- | src/or/command.c | 8 | ||||
| -rw-r--r-- | src/or/relay.c | 17 |
3 files changed, 33 insertions, 0 deletions
diff --git a/changes/bug7889 b/changes/bug7889 new file mode 100644 index 0000000000..ce99a59ce5 --- /dev/null +++ b/changes/bug7889 @@ -0,0 +1,8 @@ + o Major bugfixes: + - Reject bogus create and relay cells with 0 circuit ID or 0 stream + ID: these could be used to create unexpected streams and circuits + which would count as "present" to some parts of Tor but "absent" + to others, leading to zombie circuits and streams or to a + bandwidth DOS. Fixes bug 7889; bugfix on every released version of + Tor. Reported by "oftc_must_be_destroyed". + diff --git a/src/or/command.c b/src/or/command.c index d935b5b18d..8321e261e0 100644 --- a/src/or/command.c +++ b/src/or/command.c @@ -382,6 +382,14 @@ command_process_create_cell(cell_t *cell, or_connection_t *conn) return; } + if (cell->circ_id == 0) { + log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL, + "Received a create cell (type %d) from %s:%d with zero circID; " + " ignoring.", (int)cell->command, conn->_base.address, + conn->_base.port); + return; + } + /* If the high bit of the circuit ID is not as expected, close the * circ. */ id_is_high = cell->circ_id & (1<<15); diff --git a/src/or/relay.c b/src/or/relay.c index 5f7fcd8b7c..a17c333310 100644 --- a/src/or/relay.c +++ b/src/or/relay.c @@ -1046,6 +1046,23 @@ connection_edge_process_relay_cell(cell_t *cell, circuit_t *circ, return - END_CIRC_REASON_TORPROTOCOL; } + if (rh.stream_id == 0) { + switch (rh.command) { + case RELAY_COMMAND_BEGIN: + case RELAY_COMMAND_CONNECTED: + case RELAY_COMMAND_DATA: + case RELAY_COMMAND_END: + case RELAY_COMMAND_RESOLVE: + case RELAY_COMMAND_RESOLVED: + case RELAY_COMMAND_BEGIN_DIR: + log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL, "Relay command %d with zero " + "stream_id. Dropping.", (int)rh.command); + return 0; + default: + ; + } + } + /* either conn is NULL, in which case we've got a control cell, or else * conn points to the recognized stream. */ |