diff options
| author | Roger Dingledine <arma@torproject.org> | 2006-07-30 04:32:58 +0000 |
|---|---|---|
| committer | Roger Dingledine <arma@torproject.org> | 2006-07-30 04:32:58 +0000 |
| commit | 2bcb081cb1d788b46d5ce86e085549fe5b1d3b81 (patch) | |
| tree | 922cae7e61679bef19f388ee34c3001872966364 | |
| parent | 7498d31b0981b4c0175dca0f7d3aa5e008725cbd (diff) | |
| download | tor-2bcb081cb1d788b46d5ce86e085549fe5b1d3b81.tar.gz tor-2bcb081cb1d788b46d5ce86e085549fe5b1d3b81.zip | |
defense in depth
svn:r6939
| -rw-r--r-- | src/or/circuitbuild.c | 8 | ||||
| -rw-r--r-- | src/or/command.c | 10 | ||||
| -rw-r--r-- | src/or/connection_edge.c | 10 |
3 files changed, 26 insertions, 2 deletions
diff --git a/src/or/circuitbuild.c b/src/or/circuitbuild.c index d2973203ac..fa5da30c49 100644 --- a/src/or/circuitbuild.c +++ b/src/or/circuitbuild.c @@ -625,11 +625,17 @@ circuit_extend(cell_t *cell, circuit_t *circ) char *id_digest=NULL; if (circ->n_conn) { - log_fn(LOG_PROTOCOL_WARN,LD_PROTOCOL, + log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL, "n_conn already set. Bug/attack. Closing."); return -1; } + if (!server_mode(get_options())) { + log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL, + "Got an extend cell, but running as a client. Closing."); + return -1; + } + relay_header_unpack(&rh, cell->payload); if (rh.length < 4+2+ONIONSKIN_CHALLENGE_LEN+DIGEST_LEN) { diff --git a/src/or/command.c b/src/or/command.c index 9e3e529737..f508ab2545 100644 --- a/src/or/command.c +++ b/src/or/command.c @@ -173,6 +173,16 @@ command_process_create_cell(cell_t *cell, or_connection_t *conn) return; } + if (!server_mode(get_options())) { + log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL, + "Received create cell (type %d) from %s:%d, but we're a client. " + "Sending back a destroy.", + (int)cell->command, conn->_base.address, conn->_base.port); + connection_or_send_destroy(cell->circ_id, conn, + END_CIRC_REASON_TORPROTOCOL); + return; + } + /* If the high bit of the circuit ID is not as expected, close the * circ. */ id_is_high = cell->circ_id & (1<<15); diff --git a/src/or/connection_edge.c b/src/or/connection_edge.c index 7839a91de2..746d65afc2 100644 --- a/src/or/connection_edge.c +++ b/src/or/connection_edge.c @@ -1598,12 +1598,20 @@ connection_exit_begin_conn(cell_t *cell, circuit_t *circ) uint16_t port; assert_circuit_ok(circ); - relay_header_unpack(&rh, cell->payload); /* XXX currently we don't send an end cell back if we drop the * begin because it's malformed. */ + if (!server_mode(get_options()) && + circ->purpose != CIRCUIT_PURPOSE_S_REND_JOINED) { + log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL, + "Relay begin cell at non-server. Dropping."); + return 0; + } + + relay_header_unpack(&rh, cell->payload); + if (!memchr(cell->payload+RELAY_HEADER_SIZE, 0, rh.length)) { log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL, "Relay begin cell has no \\0. Dropping."); |