Implement the last of proposal 110

Reject all EXTEND requests not received in a relay_early cell
2024-11-24 12:23:32 +01:00 · 2011-10-28 10:51:21 -04:00 · 2011-10-28 10:51:21 -04:00 · 0187bd8728
commit 0187bd8728
parent 878a684386
2 changed files with 26 additions and 0 deletions
--- a/changes/prop110
+++ b/changes/prop110
@ -0,0 +1,7 @@
+  o Major features:
+    - Now that Tor 0.2.0.x is completely deprecated, we can enable the
+      final part of "Proposal 110: Avoiding infinite length circuits"
+      by refusing all circuit-extend requests that do not appear in a
+      "relay_early" cell. This change helps Tor to resist a class of
+      denial-of-service attacks by limiting the maximum circuit length.
+
--- a/src/or/relay.c
+++ b/src/or/relay.c
@ -1194,6 +1194,25 @@ connection_edge_process_relay_cell(cell_t *cell, circuit_t *circ,
               "'extend' cell received for non-zero stream. Dropping.");
        return 0;
      }
+      if (cell->command != CELL_RELAY_EARLY) {
+#define EARLY_WARNING_INTERVAL 900
+        static ratelim_t early_warning_limit =
+          RATELIM_INIT(EARLY_WARNING_INTERVAL);
+        char *m;
+        if (cell->command == CELL_RELAY) {
+          if ((m = rate_limit_log(&early_warning_limit, approx_time()))) {
+            /* XXXX make this a protocol_warn once we're happier with it*/
+            log_fn(LOG_WARN, domain, "EXTEND cell received, "
+                   "but not via RELAY_EARLY. Dropping.%s", m);
+            tor_free(m);
+          }
+        } else {
+          log_fn(LOG_WARN, domain,
+                 "EXTEND cell received, in a cell with type %d! Dropping.",
+                 cell->command);
+        }
+        return 0;
+      }
      return circuit_extend(cell, circ);
    case RELAY_COMMAND_EXTENDED:
      if (!layer_hint) {