TROVE-2021-003: Check layer_hint before half-closed end and resolve cells

This issue was reported by Jann Horn part of Google's Project Zero. Jann's one-sentence summary: entry/middle relays can spoof RELAY_END cells on half-closed streams, which can lead to stream confusion between OP and exit. Fixes #40389
author: David Goulet <dgoulet@torproject.org> 2021-06-03 09:33:21 -0400
committer: Nick Mathewson <nickm@torproject.org> 2021-06-10 08:50:05 -0400
commit: adb248b6d6e0779719e6b873ee12a1e22fa390f4 (patch)
tree: e8f633706ef4013390d413f9f37708113b6e9a9d /changes/ticket40389
parent: d71bf986b4faf7cb3b654192bc67d5b674cfcf02 (diff)
download: tor-adb248b6d6e0779719e6b873ee12a1e22fa390f4.tar.gz
tor-adb248b6d6e0779719e6b873ee12a1e22fa390f4.zip
1 files changed, 3 insertions, 0 deletions
diff --git a/changes/ticket40389 b/changes/ticket40389
new file mode 100644
index 0000000000..7dcf65b32e
--- /dev/null
+++ b/changes/ticket40389
@@ -0,0 +1,3 @@
+  o Major bugfixes (relay, TROVE):
+    - Don't allow entry or middle relays to spoof RELAY_END or RELAY_RESOLVED
+      cell on half-closed streams. Fixes bug 40389; bugfix on 0.3.5.1-alpha.
author	David Goulet <dgoulet@torproject.org>	2021-06-03 09:33:21 -0400
committer	Nick Mathewson <nickm@torproject.org>	2021-06-10 08:50:05 -0400
commit	adb248b6d6e0779719e6b873ee12a1e22fa390f4 (patch)
tree	e8f633706ef4013390d413f9f37708113b6e9a9d /changes/ticket40389
parent	d71bf986b4faf7cb3b654192bc67d5b674cfcf02 (diff)
download	tor-adb248b6d6e0779719e6b873ee12a1e22fa390f4.tar.gz tor-adb248b6d6e0779719e6b873ee12a1e22fa390f4.zip