defense in depth

svn:r6939

src/or/circuitbuild.c

@@ -625,11 +625,17 @@ circuit_extend(cell_t *cell, circuit_t *circ)
   char *id_digest=NULL;
 
   if (circ->n_conn) {
-    log_fn(LOG_PROTOCOL_WARN,LD_PROTOCOL,
+    log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
            "n_conn already set. Bug/attack. Closing.");
     return -1;
   }
 
+  if (!server_mode(get_options())) {
+    log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
+           "Got an extend cell, but running as a client. Closing.");
+    return -1;
+  }
+
   relay_header_unpack(&rh, cell->payload);
 
   if (rh.length < 4+2+ONIONSKIN_CHALLENGE_LEN+DIGEST_LEN) {

src/or/command.c

@@ -173,6 +173,16 @@ command_process_create_cell(cell_t *cell, or_connection_t *conn)
     return;
   }
 
+  if (!server_mode(get_options())) {
+    log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
+           "Received create cell (type %d) from %s:%d, but we're a client. "
+           "Sending back a destroy.",
+           (int)cell->command, conn->_base.address, conn->_base.port);
+    connection_or_send_destroy(cell->circ_id, conn,
+                               END_CIRC_REASON_TORPROTOCOL);
+    return;
+  }
+
   /* If the high bit of the circuit ID is not as expected, close the
    * circ. */
   id_is_high = cell->circ_id & (1<<15);

src/or/connection_edge.c

@@ -1598,12 +1598,20 @@ connection_exit_begin_conn(cell_t *cell, circuit_t *circ)
   uint16_t port;
 
   assert_circuit_ok(circ);
-  relay_header_unpack(&rh, cell->payload);
 
   /* XXX currently we don't send an end cell back if we drop the
    * begin because it's malformed.
    */
 
+  if (!server_mode(get_options()) &&
+      circ->purpose != CIRCUIT_PURPOSE_S_REND_JOINED) {
+    log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
+           "Relay begin cell at non-server. Dropping.");
+    return 0;
+  }
+
+  relay_header_unpack(&rh, cell->payload);
+
   if (!memchr(cell->payload+RELAY_HEADER_SIZE, 0, rh.length)) {
     log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
            "Relay begin cell has no \\0. Dropping.");