summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMike Perry <mikeperry-git@torproject.org>2023-12-06 17:23:19 +0000
committerMike Perry <mikeperry-git@torproject.org>2023-12-07 18:37:30 +0000
commitcc52f7e5b72199a1f3278daa9e0db876bc86c973 (patch)
tree748d9efb36c4d0a591b6f7def389c43d7d0d3370
parent03778a0f3489994e78de70c7c5cd69f570329fab (diff)
downloadtor-cc52f7e5b72199a1f3278daa9e0db876bc86c973.tar.gz
tor-cc52f7e5b72199a1f3278daa9e0db876bc86c973.zip
Bug 40897 Bug Bounty: Double the number of max conflux circs
We strongly suspect that bug 40897 was caused by a custom Tor client that tried to use more than the default number of conflux circuits, for either performance or traffic analysis defense gains, or both. This entity hit a safety check on the exit side, which caused a UAF. Our "belt and suspenders" snapped off, and hit us in the face... again... Since there are good reasons to try more than 2 conflux legs, and research has found some traffic analysis benefits with as many as 5, we're going to raise and parameterize this limit as a form of bug bounty for finding this UAF, so that this entity can try out a little more confluxing. This should also make it easier for researchers to try things like gathering traces with larger amounts of confluxing than normal, to measure real-world traffic analysis impacts of conflux. Shine on, you yoloing anonymous diamond. Let us know if you find out anything interesting!
-rw-r--r--src/core/or/conflux_params.c19
-rw-r--r--src/core/or/conflux_params.h1
-rw-r--r--src/core/or/conflux_pool.c2
-rw-r--r--src/core/or/conflux_st.h13
4 files changed, 21 insertions, 14 deletions
diff --git a/src/core/or/conflux_params.c b/src/core/or/conflux_params.c
index dbf4ae5272..65728032f9 100644
--- a/src/core/or/conflux_params.c
+++ b/src/core/or/conflux_params.c
@@ -56,6 +56,11 @@
#define NUM_LEGS_SET_MAX (UINT8_MAX)
#define NUM_LEGS_SET_DEFAULT (2)
+/* For "cfx_max_legs_set" */
+#define MAX_LEGS_SET_MIN (3)
+#define MAX_LEGS_SET_MAX (UINT8_MAX)
+#define MAX_LEGS_SET_DEFAULT (8)
+
/* For "cfx_send_pct". */
#define CFX_SEND_PCT_MIN (0)
#define CFX_SEND_PCT_MAX (255)
@@ -81,6 +86,8 @@ static uint8_t max_prebuilt_set = MAX_PREBUILT_SET_DEFAULT;
STATIC uint32_t max_unlinked_leg_retry = MAX_UNLINKED_LEG_RETRY_DEFAULT;
/* Number of legs per set. */
static uint8_t num_legs_set = NUM_LEGS_SET_DEFAULT;
+/* Maximum number of legs per set allowed at exits */
+static uint8_t max_legs_set = MAX_LEGS_SET_DEFAULT;
/* The low Exit relay threshold, as a ratio between 0 and 1, used as a limit to
* decide the amount of pre-built set we build depending on how many Exit relay
* supports conflux in our current consensus. */
@@ -223,6 +230,13 @@ conflux_params_get_num_legs_set(void)
return num_legs_set;
}
+/** Return the maximum number of legs per set. */
+uint8_t
+conflux_params_get_max_legs_set(void)
+{
+ return max_legs_set;
+}
+
/** Return the drain percent we must hit before switching */
uint8_t
conflux_params_get_drain_pct(void)
@@ -275,6 +289,11 @@ conflux_params_new_consensus(const networkstatus_t *ns)
NUM_LEGS_SET_DEFAULT,
NUM_LEGS_SET_MIN, NUM_LEGS_SET_MAX);
+ max_legs_set =
+ networkstatus_get_param(ns, "cfx_max_legs_set",
+ MAX_LEGS_SET_DEFAULT,
+ MAX_LEGS_SET_MIN, MAX_LEGS_SET_MAX);
+
/* Params used by conflux.c */
cfx_send_pct = networkstatus_get_param(ns, "cfx_send_pct",
CFX_SEND_PCT_DFLT,
diff --git a/src/core/or/conflux_params.h b/src/core/or/conflux_params.h
index 22c3e4ad1f..06e902cf03 100644
--- a/src/core/or/conflux_params.h
+++ b/src/core/or/conflux_params.h
@@ -16,6 +16,7 @@ uint8_t conflux_params_get_max_linked_set(void);
uint8_t conflux_params_get_max_prebuilt(void);
uint8_t conflux_params_get_max_unlinked_leg_retry(void);
uint8_t conflux_params_get_num_legs_set(void);
+uint8_t conflux_params_get_max_legs_set(void);
uint8_t conflux_params_get_drain_pct(void);
uint8_t conflux_params_get_send_pct(void);
diff --git a/src/core/or/conflux_pool.c b/src/core/or/conflux_pool.c
index 5a677fb9aa..74781b307a 100644
--- a/src/core/or/conflux_pool.c
+++ b/src/core/or/conflux_pool.c
@@ -743,7 +743,7 @@ try_finalize_set(unlinked_circuits_t *unlinked)
/* If there are too many legs, we can't link. */
if (smartlist_len(unlinked->legs) +
- smartlist_len(unlinked->cfx->legs) > CONFLUX_MAX_CIRCS) {
+ smartlist_len(unlinked->cfx->legs) > conflux_params_get_max_legs_set()) {
log_fn(LOG_PROTOCOL_WARN, LD_CIRC,
"Conflux set has too many legs to link. "
"Rejecting this circuit.");
diff --git a/src/core/or/conflux_st.h b/src/core/or/conflux_st.h
index 8d85ad1fbe..61e38f8268 100644
--- a/src/core/or/conflux_st.h
+++ b/src/core/or/conflux_st.h
@@ -22,19 +22,6 @@ typedef enum {
CONFLUX_ALG_CWNDRTT = 2,
} conflux_alg_t;
-/**
- * Maximum number of linked circuits.
- *
- * We want to experiment with 3 guards, so we need at least 3 here.
- *
- * However, we need 1 more than this, to support using a test circuit to probe
- * for a faster path, for applications that *require* a specific latency target
- * (like VoIP).
- *
- * We may also want to raise this for traffic analysis defense evaluation.
- */
-#define CONFLUX_MAX_CIRCS 4
-
/** XXX: Cached consensus params+scheduling alg */
struct conflux_params_t {
conflux_alg_t alg;