Merge branch 'maint-0.4.6' into release-0.4.6

2 files changed, 13 insertions, 3 deletions

diff --git a/changes/bug40391 b/changes/bug40391
new file mode 100644
index 0000000000..e3c186275f
--- /dev/null
+++ b/changes/bug40391
@@ -0,0 +1,9 @@
+  o Major bugfixes (security):
+    - Resist a hashtable-based CPU denial-of-service attack against
+      relays. Previously we used a naive unkeyed hash function to look up
+      circuits in a circuitmux object. An attacker could exploit this to
+      construct circuits with chosen circuit IDs in order to try to create
+      collisions and make the hash table inefficient.  Now we use a SipHash
+      construction for this hash table instead. Fixes bug 40391; bugfix on
+      0.2.4.4-alpha. This issue is also tracked as TROVE-2021-005.
+      Reported by Jann Horn from Google's Project Zero.
diff --git a/src/core/or/circuitmux.c b/src/core/or/circuitmux.c
index 4860c6ed52..6f8761ca39 100644
--- a/src/core/or/circuitmux.c
+++ b/src/core/or/circuitmux.c
@@ -169,9 +169,10 @@ chanid_circid_entries_eq(chanid_circid_muxinfo_t *a,
 static inline unsigned int
 chanid_circid_entry_hash(chanid_circid_muxinfo_t *a)
 {
-    return (((unsigned int)(a->circ_id) << 8) ^
-            ((unsigned int)((a->chan_id >> 32) & 0xffffffff)) ^
-            ((unsigned int)(a->chan_id & 0xffffffff)));
+  uint8_t data[8 + 4];
+  set_uint64(data, a->chan_id);
+  set_uint32(data + 8, a->circ_id);
+  return (unsigned) siphash24g(data, sizeof(data));
 }
 
 /* Emit a bunch of hash table stuff */