From 56a7c5bc15e0447203a491c1ee37de9939ad1dcd Mon Sep 17 00:00:00 2001
From: David Goulet <dgoulet@torproject.org>
Date: Mon, 5 Jun 2017 11:11:42 -0400
Subject: TROVE-2017-005: Fix assertion failure in
 connection_edge_process_relay_cell

On an hidden service rendezvous circuit, a BEGIN_DIR could be sent
(maliciously) which would trigger a tor_assert() because
connection_edge_process_relay_cell() thought that the circuit is an
or_circuit_t but is an origin circuit in reality.

Fixes #22494

Reported-by: Roger Dingledine <arma@torproject.org>
Signed-off-by: David Goulet <dgoulet@torproject.org>
---
 changes/trove-2017-005 | 7 +++++++
 1 file changed, 7 insertions(+)
 create mode 100644 changes/trove-2017-005

(limited to 'changes')

diff --git a/changes/trove-2017-005 b/changes/trove-2017-005
new file mode 100644
index 0000000000..cebb013f86
--- /dev/null
+++ b/changes/trove-2017-005
@@ -0,0 +1,7 @@
+  o Major bugfixes (hidden service, relay, security):
+    - Fix an assertion failure caused by receiving a BEGIN_DIR cell on
+      a hidden service rendezvous circuit. Fixes bug 22494, tracked as
+      TROVE-2017-005 and CVE-2017-0376; bugfix on 0.2.2.1-alpha. Found
+      by armadev.
+
+
-- 
cgit v1.2.3-54-g00ecf