summaryrefslogtreecommitdiff
path: root/src/or/relay.c
diff options
context:
space:
mode:
authorNick Mathewson <nickm@torproject.org>2013-01-14 14:02:13 -0500
committerNick Mathewson <nickm@torproject.org>2013-01-14 14:02:13 -0500
commit4ccf09b1c21a858540453287e58a478a80a598ae (patch)
treed626621e039b8ec4b9312a2e81241cc93be30076 /src/or/relay.c
parent52bf1556b18a3af0d7d4f612cd27e956353bf5b5 (diff)
downloadtor-4ccf09b1c21a858540453287e58a478a80a598ae.tar.gz
tor-4ccf09b1c21a858540453287e58a478a80a598ae.zip
Reject create/begin/etc cells with {circ,stream}ID 0.
Otherwise, it's possible to create streams or circuits with these bogus IDs, leading to orphaned circuits or streams, or to ones that can cause bandwidth DOS problems. Fixes bug 7889; bugfix on all released Tors.
Diffstat (limited to 'src/or/relay.c')
-rw-r--r--src/or/relay.c17
1 files changed, 17 insertions, 0 deletions
diff --git a/src/or/relay.c b/src/or/relay.c
index 5f7fcd8b7c..a17c333310 100644
--- a/src/or/relay.c
+++ b/src/or/relay.c
@@ -1046,6 +1046,23 @@ connection_edge_process_relay_cell(cell_t *cell, circuit_t *circ,
return - END_CIRC_REASON_TORPROTOCOL;
}
+ if (rh.stream_id == 0) {
+ switch (rh.command) {
+ case RELAY_COMMAND_BEGIN:
+ case RELAY_COMMAND_CONNECTED:
+ case RELAY_COMMAND_DATA:
+ case RELAY_COMMAND_END:
+ case RELAY_COMMAND_RESOLVE:
+ case RELAY_COMMAND_RESOLVED:
+ case RELAY_COMMAND_BEGIN_DIR:
+ log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL, "Relay command %d with zero "
+ "stream_id. Dropping.", (int)rh.command);
+ return 0;
+ default:
+ ;
+ }
+ }
+
/* either conn is NULL, in which case we've got a control cell, or else
* conn points to the recognized stream. */