diff options
| -rw-r--r-- | ChangeLog | 6 | ||||
| -rw-r--r-- | src/or/relay.c | 12 | ||||
| -rw-r--r-- | src/or/routerlist.c | 2 |
3 files changed, 15 insertions, 5 deletions
@@ -81,6 +81,12 @@ Changes in version 0.2.0.3-alpha - 2007-??-?? - Fix a possible buffer overrun when using BSD natd support. Bug found by croup. + o Security fixes (circuits): + - Keep streamids from different exits on a circuit separate. This + bug may have allowed other routers on a given circuit to inject + cells into streams. Reported by lodger; fixes bug 446. [Bugfix + on 0.1.2.x] + Changes in version 0.2.0.2-alpha - 2007-06-02 o Major bugfixes on 0.2.0.1-alpha: diff --git a/src/or/relay.c b/src/or/relay.c index 2bcd400453..a2f77eaf4d 100644 --- a/src/or/relay.c +++ b/src/or/relay.c @@ -18,7 +18,8 @@ const char relay_c_id[] = static int relay_crypt(circuit_t *circ, cell_t *cell, int cell_direction, crypt_path_t **layer_hint, char *recognized); static edge_connection_t *relay_lookup_conn(circuit_t *circ, cell_t *cell, - int cell_direction); + int cell_direction, + crypt_path_t *layer_hint); static int connection_edge_process_relay_cell(cell_t *cell, circuit_t *circ, @@ -164,7 +165,8 @@ circuit_receive_relay_cell(cell_t *cell, circuit_t *circ, int cell_direction) } if (recognized) { - edge_connection_t *conn = relay_lookup_conn(circ, cell, cell_direction); + edge_connection_t *conn = relay_lookup_conn(circ, cell, cell_direction, + layer_hint); if (cell_direction == CELL_DIRECTION_OUT) { ++stats_n_relay_cells_delivered; log_debug(LD_OR,"Sending away from origin."); @@ -380,7 +382,8 @@ circuit_package_relay_cell(cell_t *cell, circuit_t *circ, * attached to circ, return that conn, else return NULL. */ static edge_connection_t * -relay_lookup_conn(circuit_t *circ, cell_t *cell, int cell_direction) +relay_lookup_conn(circuit_t *circ, cell_t *cell, int cell_direction, + crypt_path_t *layer_hint) { edge_connection_t *tmpconn; relay_header_t rh; @@ -398,7 +401,8 @@ relay_lookup_conn(circuit_t *circ, cell_t *cell, int cell_direction) for (tmpconn = TO_ORIGIN_CIRCUIT(circ)->p_streams; tmpconn; tmpconn=tmpconn->next_stream) { if (rh.stream_id == tmpconn->stream_id && - !tmpconn->_base.marked_for_close) { + !tmpconn->_base.marked_for_close && + tmpconn->cpath_layer == layer_hint) { log_debug(LD_APP,"found conn for stream %d.", rh.stream_id); return tmpconn; } diff --git a/src/or/routerlist.c b/src/or/routerlist.c index 944245d140..51877b5874 100644 --- a/src/or/routerlist.c +++ b/src/or/routerlist.c @@ -1155,7 +1155,7 @@ router_get_advertised_bandwidth(routerinfo_t *router) * * If <b>for_exit</b>, we're picking an exit node: consider all nodes' * bandwidth equally regardless of their Exit status. If not <b>for_exit</b>, - * we're picking a non-exit node: weight exit-node's bandwidth downwards + * we're picking a non-exit node: weight exit-node's bandwidth less * depending on the smallness of the fraction of Exit-to-total bandwidth. */ static void * |