aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNick Mathewson <nickm@torproject.org>2008-10-27 16:46:45 +0000
committerNick Mathewson <nickm@torproject.org>2008-10-27 16:46:45 +0000
commitee31e0829e976412c57521ab1cacfb57a1a76931 (patch)
tree41397a27cf5a528d8d2829b2f1008895c09183d6
parent0ab45fee73812a90c8714a6a3d99d5727a6733f3 (diff)
downloadtor-ee31e0829e976412c57521ab1cacfb57a1a76931.tar.gz
tor-ee31e0829e976412c57521ab1cacfb57a1a76931.zip
Verify cpath_layer match on rendezvous cells too. Fixes another case of bug 446. Based on patch from rovv.
svn:r17162
-rw-r--r--ChangeLog4
-rw-r--r--src/or/or.h4
-rw-r--r--src/or/relay.c3
-rw-r--r--src/or/rendcommon.c14
4 files changed, 19 insertions, 6 deletions
diff --git a/ChangeLog b/ChangeLog
index af2b817040..f854b76fa8 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -37,6 +37,10 @@ Changes in version 0.2.1.7-alpha - 2008-10-xx
- Fix another case of assuming, when a specific exit is requested,
that we know more than the user about what hosts it allows.
Fixes another case of bug 752. Patch from rovv.
+ - Check which hops rendezvous stream cells are associated with to
+ prevent possible guess-the-streamid injection attacks from
+ intermediate hops. Fixes another case of bug 446. Based on patch
+ from rovv.
Changes in version 0.2.1.6-alpha - 2008-09-30
diff --git a/src/or/or.h b/src/or/or.h
index 06bd64492d..147cffca76 100644
--- a/src/or/or.h
+++ b/src/or/or.h
@@ -3963,8 +3963,8 @@ rend_data_free(rend_data_t *data)
int rend_cmp_service_ids(const char *one, const char *two);
-void rend_process_relay_cell(circuit_t *circ, int command, size_t length,
- const char *payload);
+void rend_process_relay_cell(circuit_t *circ, const crypt_path_t *layer_hint,
+ int command, size_t length, const char *payload);
void rend_service_descriptor_free(rend_service_descriptor_t *desc);
int rend_encode_service_descriptor(rend_service_descriptor_t *desc,
diff --git a/src/or/relay.c b/src/or/relay.c
index 5bb712bf19..e5d6d73be0 100644
--- a/src/or/relay.c
+++ b/src/or/relay.c
@@ -1151,7 +1151,8 @@ connection_edge_process_relay_cell(cell_t *cell, circuit_t *circ,
case RELAY_COMMAND_RENDEZVOUS2:
case RELAY_COMMAND_INTRO_ESTABLISHED:
case RELAY_COMMAND_RENDEZVOUS_ESTABLISHED:
- rend_process_relay_cell(circ, rh.command, rh.length,
+ rend_process_relay_cell(circ, layer_hint,
+ rh.command, rh.length,
cell->payload+RELAY_HEADER_SIZE);
return 0;
}
diff --git a/src/or/rendcommon.c b/src/or/rendcommon.c
index ccd52fceee..b5f8683f92 100644
--- a/src/or/rendcommon.c
+++ b/src/or/rendcommon.c
@@ -1387,16 +1387,24 @@ rend_cache_store_v2_desc_as_client(const char *desc,
/** Called when we get a rendezvous-related relay cell on circuit
* <b>circ</b>. Dispatch on rendezvous relay command. */
void
-rend_process_relay_cell(circuit_t *circ, int command, size_t length,
+rend_process_relay_cell(circuit_t *circ, const crypt_path_t *layer_hint,
+ int command, size_t length,
const char *payload)
{
or_circuit_t *or_circ = NULL;
origin_circuit_t *origin_circ = NULL;
int r = -2;
- if (CIRCUIT_IS_ORIGIN(circ))
+ if (CIRCUIT_IS_ORIGIN(circ)) {
origin_circ = TO_ORIGIN_CIRCUIT(circ);
- else
+ if (layer_hint && layer_hint != origin_circ->cpath->prev) {
+ log_fn(LOG_PROTOCOL_WARN, LD_APP,
+ "Relay cell (rend purpose %d) from wrong hop on origin circ",
+ command);
+ origin_circ = NULL;
+ }
+ } else {
or_circ = TO_OR_CIRCUIT(circ);
+ }
switch (command) {
case RELAY_COMMAND_ESTABLISH_INTRO: