diff options
| author | Nick Mathewson <nickm@torproject.org> | 2017-06-08 09:21:15 -0400 |
|---|---|---|
| committer | Nick Mathewson <nickm@torproject.org> | 2017-06-08 09:21:15 -0400 |
| commit | 2cc6d8d5786508c3b1dd248efa447f693d21840a (patch) | |
| tree | ae0aefe38d8787755dddb659909a96e53cc07d9e | |
| parent | 5d34df50f821839399faf82ccfd80b8b51b2fa30 (diff) | |
| parent | 987c7cae7073ba2c579cc81f973446831246858d (diff) | |
| download | tor-2cc6d8d5786508c3b1dd248efa447f693d21840a.tar.gz tor-2cc6d8d5786508c3b1dd248efa447f693d21840a.zip | |
Merge branch 'maint-0.2.9' into release-0.2.9
| -rw-r--r-- | changes/trove-2017-005 | 7 | ||||
| -rw-r--r-- | src/or/relay.c | 3 |
2 files changed, 9 insertions, 1 deletions
diff --git a/changes/trove-2017-005 b/changes/trove-2017-005 new file mode 100644 index 0000000000..cebb013f86 --- /dev/null +++ b/changes/trove-2017-005 @@ -0,0 +1,7 @@ + o Major bugfixes (hidden service, relay, security): + - Fix an assertion failure caused by receiving a BEGIN_DIR cell on + a hidden service rendezvous circuit. Fixes bug 22494, tracked as + TROVE-2017-005 and CVE-2017-0376; bugfix on 0.2.2.1-alpha. Found + by armadev. + + diff --git a/src/or/relay.c b/src/or/relay.c index 1794215378..4e9dadba16 100644 --- a/src/or/relay.c +++ b/src/or/relay.c @@ -1499,7 +1499,8 @@ connection_edge_process_relay_cell(cell_t *cell, circuit_t *circ, "Begin cell for known stream. Dropping."); return 0; } - if (rh.command == RELAY_COMMAND_BEGIN_DIR) { + if (rh.command == RELAY_COMMAND_BEGIN_DIR && + circ->purpose != CIRCUIT_PURPOSE_S_REND_JOINED) { /* Assign this circuit and its app-ward OR connection a unique ID, * so that we can measure download times. The local edge and dir * connection will be assigned the same ID when they are created |