mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2024-11-24 04:13:28 +01:00
Merge remote-tracking branch 'origin/maint-0.2.3'
This commit is contained in:
commit
0b21170085
11
changes/bug6252_again
Normal file
11
changes/bug6252_again
Normal file
@ -0,0 +1,11 @@
|
||||
o Security fixes:
|
||||
- Tear down the circuit if we get an unexpected SENDME cell. Clients
|
||||
could use this trick to make their circuits receive cells faster
|
||||
than our flow control would have allowed, or to gum up the network,
|
||||
or possibly to do targeted memory denial-of-service attacks on
|
||||
entry nodes. Fixes bug 6252. Bugfix on the 54th commit on Tor --
|
||||
from July 2002, before the release of Tor 0.0.0. We had committed
|
||||
this patch previously, but we had to revert it because of bug 6271.
|
||||
Now that 6271 is fixed, this appears to work.
|
||||
|
||||
|
@ -1265,11 +1265,25 @@ connection_edge_process_relay_cell(cell_t *cell, circuit_t *circ,
|
||||
case RELAY_COMMAND_SENDME:
|
||||
if (!rh.stream_id) {
|
||||
if (layer_hint) {
|
||||
if (layer_hint->package_window + CIRCWINDOW_INCREMENT >
|
||||
CIRCWINDOW_START_MAX) {
|
||||
log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
|
||||
"Bug/attack: unexpected sendme cell from exit relay. "
|
||||
"Closing circ.");
|
||||
return -END_CIRC_REASON_TORPROTOCOL;
|
||||
}
|
||||
layer_hint->package_window += CIRCWINDOW_INCREMENT;
|
||||
log_debug(LD_APP,"circ-level sendme at origin, packagewindow %d.",
|
||||
layer_hint->package_window);
|
||||
circuit_resume_edge_reading(circ, layer_hint);
|
||||
} else {
|
||||
if (circ->package_window + CIRCWINDOW_INCREMENT >
|
||||
CIRCWINDOW_START_MAX) {
|
||||
log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
|
||||
"Bug/attack: unexpected sendme cell from client. "
|
||||
"Closing circ.");
|
||||
return -END_CIRC_REASON_TORPROTOCOL;
|
||||
}
|
||||
circ->package_window += CIRCWINDOW_INCREMENT;
|
||||
log_debug(LD_APP,
|
||||
"circ-level sendme at non-origin, packagewindow %d.",
|
||||
|
Loading…
Reference in New Issue
Block a user