From 4fe4f8179fe81244319c7fdec64299b6506434a2 Mon Sep 17 00:00:00 2001 From: David Goulet Date: Tue, 13 Feb 2018 10:29:41 -0500 Subject: dos: Don't set consensus param if we aren't a public relay We had this safeguard around dos_init() but not when the consensus changes which can modify consensus parameters and possibly enable the DoS mitigation even if tor wasn't a public relay. Fixes #25223 Signed-off-by: David Goulet --- src/or/dos.c | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'src/or') diff --git a/src/or/dos.c b/src/or/dos.c index 9e8a7a9abe..bfa415e7b5 100644 --- a/src/or/dos.c +++ b/src/or/dos.c @@ -738,6 +738,14 @@ dos_close_client_conn(const or_connection_t *or_conn) void dos_consensus_has_changed(const networkstatus_t *ns) { + /* There are two ways to configure this subsystem, one at startup through + * dos_init() which is called when the options are parsed. And this one + * through the consensus. We don't want to enable any DoS mitigation if we + * aren't a public relay. */ + if (!public_server_mode(get_options())) { + return; + } + cc_consensus_has_changed(ns); conn_consensus_has_changed(ns); -- cgit v1.2.3-54-g00ecf From 305e39d0f8bcc39d45c2877495046bd927347106 Mon Sep 17 00:00:00 2001 From: David Goulet Date: Tue, 13 Feb 2018 10:41:21 -0500 Subject: dos: Add extra safety asserts in cc_stats_refill_bucket() Never allow the function to set a bucket value above the allowed circuit burst. Closes #25202 Signed-off-by: David Goulet --- changes/ticket25202 | 4 ++++ src/or/dos.c | 10 ++++++++++ 2 files changed, 14 insertions(+) create mode 100644 changes/ticket25202 (limited to 'src/or') diff --git a/changes/ticket25202 b/changes/ticket25202 new file mode 100644 index 0000000000..5edef44f0b --- /dev/null +++ b/changes/ticket25202 @@ -0,0 +1,4 @@ + o Minor bugfixes (DoS mitigation): + - Add extra safety checks when refilling the circuit creation bucket to + ensure we never set a value that is above the allowed burst. Fixes + ticket 25202. diff --git a/src/or/dos.c b/src/or/dos.c index 9e8a7a9abe..e7f3241ef4 100644 --- a/src/or/dos.c +++ b/src/or/dos.c @@ -309,6 +309,16 @@ cc_stats_refill_bucket(cc_client_stats_t *stats, const tor_addr_t *addr) new_circuit_bucket_count = MIN(stats->circuit_bucket + (uint32_t)num_token, dos_cc_circuit_burst); } + + /* This function is not allowed to make the bucket count larger than the + * burst value */ + tor_assert_nonfatal(new_circuit_bucket_count <= dos_cc_circuit_burst); + /* This function is not allowed to make the bucket count smaller, unless it + * is decreasing it to a newly configured, lower burst value. We allow the + * bucket to stay the same size, in case the circuit rate is zero. */ + tor_assert_nonfatal(new_circuit_bucket_count >= stats->circuit_bucket || + new_circuit_bucket_count == dos_cc_circuit_burst); + log_debug(LD_DOS, "DoS address %s has its circuit bucket value: %" PRIu32 ". Filling it to %" PRIu32 ". Circuit rate is %" PRIu64 ". Elapsed time is %" PRIi64, -- cgit v1.2.3-54-g00ecf