aboutsummaryrefslogtreecommitdiff
path: root/src/or/relay.c
diff options
context:
space:
mode:
authorDavid Goulet <dgoulet@torproject.org>2017-06-05 11:11:42 -0400
committerNick Mathewson <nickm@torproject.org>2017-06-08 09:21:10 -0400
commit56a7c5bc15e0447203a491c1ee37de9939ad1dcd (patch)
tree56c20372343b1eb11608c76cf2ff786803e1f6bd /src/or/relay.c
parent4ee48cb434c46d9e4c477dabd8a97f03e3db221d (diff)
downloadtor-56a7c5bc15e0447203a491c1ee37de9939ad1dcd.tar.gz
tor-56a7c5bc15e0447203a491c1ee37de9939ad1dcd.zip
TROVE-2017-005: Fix assertion failure in connection_edge_process_relay_cell
On an hidden service rendezvous circuit, a BEGIN_DIR could be sent (maliciously) which would trigger a tor_assert() because connection_edge_process_relay_cell() thought that the circuit is an or_circuit_t but is an origin circuit in reality. Fixes #22494 Reported-by: Roger Dingledine <arma@torproject.org> Signed-off-by: David Goulet <dgoulet@torproject.org>
Diffstat (limited to 'src/or/relay.c')
-rw-r--r--src/or/relay.c3
1 files changed, 2 insertions, 1 deletions
diff --git a/src/or/relay.c b/src/or/relay.c
index 7f06c6e145..59b79f95c9 100644
--- a/src/or/relay.c
+++ b/src/or/relay.c
@@ -1297,7 +1297,8 @@ connection_edge_process_relay_cell(cell_t *cell, circuit_t *circ,
"Begin cell for known stream. Dropping.");
return 0;
}
- if (rh.command == RELAY_COMMAND_BEGIN_DIR) {
+ if (rh.command == RELAY_COMMAND_BEGIN_DIR &&
+ circ->purpose != CIRCUIT_PURPOSE_S_REND_JOINED) {
/* Assign this circuit and its app-ward OR connection a unique ID,
* so that we can measure download times. The local edge and dir
* connection will be assigned the same ID when they are created