summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--changes/issue-2011-10-19L9
-rw-r--r--src/or/command.c6
-rw-r--r--src/or/connection_or.c5
-rw-r--r--src/or/or.h4
4 files changed, 24 insertions, 0 deletions
diff --git a/changes/issue-2011-10-19L b/changes/issue-2011-10-19L
index 972823eeea..1fefd7267e 100644
--- a/changes/issue-2011-10-19L
+++ b/changes/issue-2011-10-19L
@@ -10,3 +10,12 @@
upgrade. Fixes CVE-2011-2768. Bugfix on FIXME; found by
frosty_un.
+ - Don't use any OR connection on which we have received a
+ CREATE_FAST cell to satisfy an EXTEND request. Previously, we
+ would not consider whether a connection appears to be from a
+ client or bridge when deciding whether to use that connection to
+ satisfy an EXTEND request. Mitigates CVE-2011-2768, by
+ preventing an attacker from determining whether an unpatched
+ client is connected to a patched relay. Bugfix on FIXME; found
+ by frosty_un.
+
diff --git a/src/or/command.c b/src/or/command.c
index 61b898cead..a17a3a6025 100644
--- a/src/or/command.c
+++ b/src/or/command.c
@@ -285,7 +285,13 @@ command_process_create_cell(cell_t *cell, or_connection_t *conn)
* a CPU worker. */
char keys[CPATH_KEY_MATERIAL_LEN];
char reply[DIGEST_LEN*2];
+
tor_assert(cell->command == CELL_CREATE_FAST);
+
+ /* Make sure we never try to use the OR connection on which we
+ * received this cell to satisfy an EXTEND request, */
+ conn->is_connection_with_client = 1;
+
if (fast_server_handshake(cell->payload, (uint8_t*)reply,
(uint8_t*)keys, sizeof(keys))<0) {
log_warn(LD_OR,"Failed to generate key material. Closing.");
diff --git a/src/or/connection_or.c b/src/or/connection_or.c
index 95cc02e34f..35f6da9214 100644
--- a/src/or/connection_or.c
+++ b/src/or/connection_or.c
@@ -519,6 +519,11 @@ connection_or_get_for_extend(const char *digest,
tor_assert(tor_memeq(conn->identity_digest, digest, DIGEST_LEN));
if (conn->_base.marked_for_close)
continue;
+ /* Never return a connection on which the other end appears to be
+ * a client. */
+ if (conn->is_connection_with_client) {
+ continue;
+ }
/* Never return a non-open connection. */
if (conn->_base.state != OR_CONN_STATE_OPEN) {
/* If the address matches, don't launch a new connection for this
diff --git a/src/or/or.h b/src/or/or.h
index 4105ff42eb..72e4c639ad 100644
--- a/src/or/or.h
+++ b/src/or/or.h
@@ -1031,6 +1031,10 @@ typedef struct or_connection_t {
* because the connection is too old, or because there's a better one, etc.
*/
unsigned int is_bad_for_new_circs:1;
+ /** True iff we have decided that the other end of this connection
+ * is a client. Connections with this flag set should never be used
+ * to satisfy an EXTEND request. */
+ unsigned int is_connection_with_client:1;
uint8_t link_proto; /**< What protocol version are we using? 0 for
* "none negotiated yet." */
circid_t next_circ_id; /**< Which circ_id do we try to use next on