Reject create/begin/etc cells with {circ,stream}ID 0.

Otherwise, it's possible to create streams or circuits with these bogus IDs, leading to orphaned circuits or streams, or to ones that can cause bandwidth DOS problems. Fixes bug 7889; bugfix on all released Tors.
author: Nick Mathewson <nickm@torproject.org> 2013-01-14 14:02:13 -0500
committer: Nick Mathewson <nickm@torproject.org> 2013-01-14 14:02:13 -0500
commit: 4ccf09b1c21a858540453287e58a478a80a598ae (patch)
tree: d626621e039b8ec4b9312a2e81241cc93be30076 /src/or/command.c
parent: 52bf1556b18a3af0d7d4f612cd27e956353bf5b5 (diff)
download: tor-4ccf09b1c21a858540453287e58a478a80a598ae.tar.gz
tor-4ccf09b1c21a858540453287e58a478a80a598ae.zip
1 files changed, 8 insertions, 0 deletions
diff --git a/src/or/command.c b/src/or/command.c
index d935b5b18d..8321e261e0 100644
--- a/src/or/command.c
+++ b/src/or/command.c
@@ -382,6 +382,14 @@ command_process_create_cell(cell_t *cell, or_connection_t *conn)
     return;
   }
 
+  if (cell->circ_id == 0) {
+    log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
+           "Received a create cell (type %d) from %s:%d with zero circID; "
+           " ignoring.", (int)cell->command, conn->_base.address,
+           conn->_base.port);
+    return;
+  }
+
   /* If the high bit of the circuit ID is not as expected, close the
    * circ. */
   id_is_high = cell->circ_id & (1<<15);
author	Nick Mathewson <nickm@torproject.org>	2013-01-14 14:02:13 -0500
committer	Nick Mathewson <nickm@torproject.org>	2013-01-14 14:02:13 -0500
commit	4ccf09b1c21a858540453287e58a478a80a598ae (patch)
tree	d626621e039b8ec4b9312a2e81241cc93be30076 /src/or/command.c
parent	52bf1556b18a3af0d7d4f612cd27e956353bf5b5 (diff)
download	tor-4ccf09b1c21a858540453287e58a478a80a598ae.tar.gz tor-4ccf09b1c21a858540453287e58a478a80a598ae.zip