From ee31e0829e976412c57521ab1cacfb57a1a76931 Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Mon, 27 Oct 2008 16:46:45 +0000 Subject: Verify cpath_layer match on rendezvous cells too. Fixes another case of bug 446. Based on patch from rovv. svn:r17162 --- ChangeLog | 4 ++++ src/or/or.h | 4 ++-- src/or/relay.c | 3 ++- src/or/rendcommon.c | 14 +++++++++++--- 4 files changed, 19 insertions(+), 6 deletions(-) diff --git a/ChangeLog b/ChangeLog index af2b817040..f854b76fa8 100644 --- a/ChangeLog +++ b/ChangeLog @@ -37,6 +37,10 @@ Changes in version 0.2.1.7-alpha - 2008-10-xx - Fix another case of assuming, when a specific exit is requested, that we know more than the user about what hosts it allows. Fixes another case of bug 752. Patch from rovv. + - Check which hops rendezvous stream cells are associated with to + prevent possible guess-the-streamid injection attacks from + intermediate hops. Fixes another case of bug 446. Based on patch + from rovv. Changes in version 0.2.1.6-alpha - 2008-09-30 diff --git a/src/or/or.h b/src/or/or.h index 06bd64492d..147cffca76 100644 --- a/src/or/or.h +++ b/src/or/or.h @@ -3963,8 +3963,8 @@ rend_data_free(rend_data_t *data) int rend_cmp_service_ids(const char *one, const char *two); -void rend_process_relay_cell(circuit_t *circ, int command, size_t length, - const char *payload); +void rend_process_relay_cell(circuit_t *circ, const crypt_path_t *layer_hint, + int command, size_t length, const char *payload); void rend_service_descriptor_free(rend_service_descriptor_t *desc); int rend_encode_service_descriptor(rend_service_descriptor_t *desc, diff --git a/src/or/relay.c b/src/or/relay.c index 5bb712bf19..e5d6d73be0 100644 --- a/src/or/relay.c +++ b/src/or/relay.c @@ -1151,7 +1151,8 @@ connection_edge_process_relay_cell(cell_t *cell, circuit_t *circ, case RELAY_COMMAND_RENDEZVOUS2: case RELAY_COMMAND_INTRO_ESTABLISHED: case RELAY_COMMAND_RENDEZVOUS_ESTABLISHED: - rend_process_relay_cell(circ, rh.command, rh.length, + rend_process_relay_cell(circ, layer_hint, + rh.command, rh.length, cell->payload+RELAY_HEADER_SIZE); return 0; } diff --git a/src/or/rendcommon.c b/src/or/rendcommon.c index ccd52fceee..b5f8683f92 100644 --- a/src/or/rendcommon.c +++ b/src/or/rendcommon.c @@ -1387,16 +1387,24 @@ rend_cache_store_v2_desc_as_client(const char *desc, /** Called when we get a rendezvous-related relay cell on circuit * circ. Dispatch on rendezvous relay command. */ void -rend_process_relay_cell(circuit_t *circ, int command, size_t length, +rend_process_relay_cell(circuit_t *circ, const crypt_path_t *layer_hint, + int command, size_t length, const char *payload) { or_circuit_t *or_circ = NULL; origin_circuit_t *origin_circ = NULL; int r = -2; - if (CIRCUIT_IS_ORIGIN(circ)) + if (CIRCUIT_IS_ORIGIN(circ)) { origin_circ = TO_ORIGIN_CIRCUIT(circ); - else + if (layer_hint && layer_hint != origin_circ->cpath->prev) { + log_fn(LOG_PROTOCOL_WARN, LD_APP, + "Relay cell (rend purpose %d) from wrong hop on origin circ", + command); + origin_circ = NULL; + } + } else { or_circ = TO_OR_CIRCUIT(circ); + } switch (command) { case RELAY_COMMAND_ESTABLISH_INTRO: -- cgit v1.2.3-54-g00ecf