diff options
| author | Roger Dingledine <arma@torproject.org> | 2006-07-30 04:38:48 +0000 |
|---|---|---|
| committer | Roger Dingledine <arma@torproject.org> | 2006-07-30 04:38:48 +0000 |
| commit | 1acb7f1ef8705bbb9f077d03c321f8fc25427f78 (patch) | |
| tree | ccfab9eff09d92699c2679b3ac29a9a28030ac70 /src | |
| parent | c441a5f98a9a1e5f616d1228c6f13e100b7249a9 (diff) | |
| download | tor-1acb7f1ef8705bbb9f077d03c321f8fc25427f78.tar.gz tor-1acb7f1ef8705bbb9f077d03c321f8fc25427f78.zip | |
defense in depth
svn:r6940
Diffstat (limited to 'src')
| -rw-r--r-- | src/or/circuitbuild.c | 7 | ||||
| -rw-r--r-- | src/or/command.c | 9 | ||||
| -rw-r--r-- | src/or/connection_edge.c | 10 |
3 files changed, 24 insertions, 2 deletions
diff --git a/src/or/circuitbuild.c b/src/or/circuitbuild.c index 1bf16c1ac6..6a9ed3b16b 100644 --- a/src/or/circuitbuild.c +++ b/src/or/circuitbuild.c @@ -683,10 +683,15 @@ circuit_extend(cell_t *cell, circuit_t *circ) char *id_digest=NULL; if (circ->n_conn) { - log_fn(LOG_PROTOCOL_WARN,LD_PROTOCOL, + log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL, "n_conn already set. Bug/attack. Closing."); return -1; } + if (!server_mode(get_options())) { + log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL, + "Got an extend cell, but running as a client. Closing."); + return -1; + } relay_header_unpack(&rh, cell->payload); diff --git a/src/or/command.c b/src/or/command.c index de13627d1c..6c55174772 100644 --- a/src/or/command.c +++ b/src/or/command.c @@ -172,6 +172,15 @@ command_process_create_cell(cell_t *cell, connection_t *conn) END_CIRC_REASON_HIBERNATING); return; } + if (!server_mode(get_options())) { + log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL, + "Received create cell (type %d) from %s:%d, but we're a client. " + "Sending back a destroy.", + (int)cell->command, conn->address, conn->port); + connection_or_send_destroy(cell->circ_id, conn, + END_CIRC_REASON_TORPROTOCOL); + return; + } /* If the high bit of the circuit ID is not as expected, then switch * which half of the space we'll use for our own CREATE cells. diff --git a/src/or/connection_edge.c b/src/or/connection_edge.c index 165b753ada..902e0c009b 100644 --- a/src/or/connection_edge.c +++ b/src/or/connection_edge.c @@ -1575,12 +1575,20 @@ connection_exit_begin_conn(cell_t *cell, circuit_t *circ) uint16_t port; assert_circuit_ok(circ); - relay_header_unpack(&rh, cell->payload); /* XXX currently we don't send an end cell back if we drop the * begin because it's malformed. */ + if (!server_mode(get_options()) && + circ->purpose != CIRCUIT_PURPOSE_S_REND_JOINED) { + log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL, + "Relay begin cell at non-server. Dropping."); + return 0; + } + + relay_header_unpack(&rh, cell->payload); + if (!memchr(cell->payload+RELAY_HEADER_SIZE, 0, rh.length)) { log_warn(LD_PROTOCOL,"relay begin cell has no \\0. Dropping."); return 0; |