TROVE-2017-005: Fix assertion failure in connection_edge_process_relay_cell

On an hidden service rendezvous circuit, a BEGIN_DIR could be sent (maliciously) which would trigger a tor_assert() because connection_edge_process_relay_cell() thought that the circuit is an or_circuit_t but is an origin circuit in reality. Fixes #22494 Reported-by: Roger Dingledine <arma@torproject.org> Signed-off-by: David Goulet <dgoulet@torproject.org>
author: David Goulet <dgoulet@torproject.org> 2017-06-05 11:11:42 -0400
committer: Nick Mathewson <nickm@torproject.org> 2017-06-08 09:21:10 -0400
commit: 56a7c5bc15e0447203a491c1ee37de9939ad1dcd (patch)
tree: 56c20372343b1eb11608c76cf2ff786803e1f6bd /changes
parent: 4ee48cb434c46d9e4c477dabd8a97f03e3db221d (diff)
download: tor-56a7c5bc15e0447203a491c1ee37de9939ad1dcd.tar.gz
tor-56a7c5bc15e0447203a491c1ee37de9939ad1dcd.zip
1 files changed, 7 insertions, 0 deletions
diff --git a/changes/trove-2017-005 b/changes/trove-2017-005
new file mode 100644
index 0000000000..cebb013f86
--- /dev/null
+++ b/changes/trove-2017-005
@@ -0,0 +1,7 @@
+  o Major bugfixes (hidden service, relay, security):
+    - Fix an assertion failure caused by receiving a BEGIN_DIR cell on
+      a hidden service rendezvous circuit. Fixes bug 22494, tracked as
+      TROVE-2017-005 and CVE-2017-0376; bugfix on 0.2.2.1-alpha. Found
+      by armadev.
+
+
author	David Goulet <dgoulet@torproject.org>	2017-06-05 11:11:42 -0400
committer	Nick Mathewson <nickm@torproject.org>	2017-06-08 09:21:10 -0400
commit	56a7c5bc15e0447203a491c1ee37de9939ad1dcd (patch)
tree	56c20372343b1eb11608c76cf2ff786803e1f6bd /changes
parent	4ee48cb434c46d9e4c477dabd8a97f03e3db221d (diff)
download	tor-56a7c5bc15e0447203a491c1ee37de9939ad1dcd.tar.gz tor-56a7c5bc15e0447203a491c1ee37de9939ad1dcd.zip