diff options
| author | Sebastian Hahn <sebastian@torproject.org> | 2010-12-30 19:54:13 +0100 |
|---|---|---|
| committer | Sebastian Hahn <sebastian@torproject.org> | 2011-01-15 19:42:17 +0100 |
| commit | 026e7987ad312a26efb926ae44adc158770de7cd (patch) | |
| tree | 73a8e03bc137be9aa3aaa644ea5bc2e1a1586987 /doc/spec/dir-spec.txt | |
| parent | ca6c8136128eed09a33aeeddc6d11b58b4eb361b (diff) | |
| download | tor-026e7987ad312a26efb926ae44adc158770de7cd.tar.gz tor-026e7987ad312a26efb926ae44adc158770de7cd.zip | |
Sanity-check consensus param values
We need to make sure that the worst thing that a weird consensus param
can do to us is to break our Tor (and only if the other Tors are
reliably broken in the same way) so that the majority of directory
authorities can't pull any attacks that are worse than the DoS that
they can trigger by simply shutting down.
One of these worse things was the cbtnummodes parameter, which could
lead to heap corruption on some systems if the value was sufficiently
large.
This commit fixes this particular issue and also introduces sanity
checking for all consensus parameters.
Diffstat (limited to 'doc/spec/dir-spec.txt')
| -rw-r--r-- | doc/spec/dir-spec.txt | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/doc/spec/dir-spec.txt b/doc/spec/dir-spec.txt index 6e35deb00e..4ba2ee38bf 100644 --- a/doc/spec/dir-spec.txt +++ b/doc/spec/dir-spec.txt @@ -1161,12 +1161,14 @@ research indicates that a lower value would mean fewer cells in transit in the network at any given time. Obeyed by Tor 0.2.1.20 and later. + Min: 1, Max: 100000 XXX are these sane "CircuitPriorityHalflifeMsec" -- the halflife parameter used when weighting which circuit will send the next cell. Obeyed by Tor 0.2.2.10-alpha and later. (Versions of Tor between 0.2.2.7-alpha and 0.2.2.10-alpha recognized a "CircPriorityHalflifeMsec" parameter, but mishandled it badly.) + Min: -1, Max: 2147483647 (INT32_MAX) XXX are these sane? "perconnbwrate" and "perconnbwburst" -- if set, each relay sets up a separate token bucket for every client OR connection, @@ -1176,12 +1178,14 @@ and later. (Note that relays running 0.2.2.7-alpha through 0.2.2.14-alpha looked for bwconnrate and bwconnburst, but then did the wrong thing with them; see bug 1830 for details.) + Min: 1, Max: 2147483647 (INT32_MAX) - "refuseunknownexits" -- if set and non-zero, exit relays look at + "refuseunknownexits" -- if set to one, exit relays look at the previous hop of circuits that ask to open an exit stream, and refuse to exit if they don't recognize it as a relay. The goal is to make it harder for people to use them as one-hop proxies. See trac entry 1751 for details. + Min: 0, Max: 1 See also "2.4.5. Consensus parameters governing behavior" in path-spec.txt for a series of circuit build time related @@ -1820,7 +1824,7 @@ To ensure consensus, all calculations are performed using integer math with a fixed precision determined by the bwweightscale consensus - parameter (defaults at 10000). + parameter (defaults at 10000, Min: 1, Max: INT32_MAX). For future balancing improvements, Tor clients support 11 additional weights for directory requests and middle weighting. These weights are currently |