nihilist/tor
1
0
Fork 0
mirror of https://gitlab.torproject.org/tpo/core/tor.git synced 2024-11-10 21:23:58 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'maint-0.4.5' into maint-0.4.6

Browse Source
This commit is contained in:
Nick Mathewson 2021-06-10 08:53:07 -04:00
commit 3260d323a6
2 changed files with 42 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
changes/ticket40389 Normal file
View File

@ -0,0 +1,3 @@
o Major bugfixes (relay, TROVE):
- Don't allow entry or middle relays to spoof RELAY_END or RELAY_RESOLVED
cell on half-closed streams. Fixes bug 40389; bugfix on 0.3.5.1-alpha.

39
src/core/or/relay.c
View File

@ -1505,6 +1505,25 @@ connection_edge_process_relay_cell_not_open(
// return -1; // return -1;
} }
/**
* Return true iff our decryption layer_hint is from the last hop
* in a circuit.
*/
static bool
relay_crypt_from_last_hop(origin_circuit_t *circ, crypt_path_t *layer_hint)
{
tor_assert(circ);
tor_assert(layer_hint);
tor_assert(circ->cpath);
if (layer_hint != circ->cpath->prev) {
log_fn(LOG_PROTOCOL_WARN, LD_CIRC,
"Got unexpected relay data from intermediate hop");
return false;
}
return true;
}
/** Process a SENDME cell that arrived on <b>circ</b>. If it is a stream level /** Process a SENDME cell that arrived on <b>circ</b>. If it is a stream level
* cell, it is destined for the given <b>conn</b>. If it is a circuit level * cell, it is destined for the given <b>conn</b>. If it is a circuit level
* cell, it is destined for the <b>layer_hint</b>. The <b>domain</b> is the * cell, it is destined for the <b>layer_hint</b>. The <b>domain</b> is the
@ -1725,8 +1744,17 @@ handle_relay_cell_command(cell_t *cell, circuit_t *circ,
if (!conn) { if (!conn) {
if (CIRCUIT_IS_ORIGIN(circ)) { if (CIRCUIT_IS_ORIGIN(circ)) {
origin_circuit_t *ocirc = TO_ORIGIN_CIRCUIT(circ); origin_circuit_t *ocirc = TO_ORIGIN_CIRCUIT(circ);
<<<<<<< HEAD
if (connection_half_edge_is_valid_end(ocirc->half_streams, if (connection_half_edge_is_valid_end(ocirc->half_streams,
rh->stream_id)) { rh->stream_id)) {
||||||| d71bf986b4faf7
if (connection_half_edge_is_valid_end(ocirc->half_streams,
rh.stream_id)) {
=======
if (relay_crypt_from_last_hop(ocirc, layer_hint) &&
connection_half_edge_is_valid_end(ocirc->half_streams,
rh.stream_id)) {
>>>>>>> maint-0.3.5
circuit_read_valid_data(ocirc, rh->length); circuit_read_valid_data(ocirc, rh->length);
log_info(domain, log_info(domain,
@ -1935,9 +1963,20 @@ handle_relay_cell_command(cell_t *cell, circuit_t *circ,
if (CIRCUIT_IS_ORIGIN(circ)) { if (CIRCUIT_IS_ORIGIN(circ)) {
origin_circuit_t *ocirc = TO_ORIGIN_CIRCUIT(circ); origin_circuit_t *ocirc = TO_ORIGIN_CIRCUIT(circ);
<<<<<<< HEAD
if (connection_half_edge_is_valid_resolved(ocirc->half_streams, if (connection_half_edge_is_valid_resolved(ocirc->half_streams,
rh->stream_id)) { rh->stream_id)) {
circuit_read_valid_data(ocirc, rh->length); circuit_read_valid_data(ocirc, rh->length);
||||||| d71bf986b4faf7
if (connection_half_edge_is_valid_resolved(ocirc->half_streams,
rh.stream_id)) {
circuit_read_valid_data(ocirc, rh.length);
=======
if (relay_crypt_from_last_hop(ocirc, layer_hint) &&
connection_half_edge_is_valid_resolved(ocirc->half_streams,
rh.stream_id)) {
circuit_read_valid_data(ocirc, rh.length);
>>>>>>> maint-0.3.5
log_info(domain, log_info(domain,
"resolved cell on circ %u valid on half-closed " "resolved cell on circ %u valid on half-closed "
"stream id %d", ocirc->global_identifier, rh->stream_id); "stream id %d", ocirc->global_identifier, rh->stream_id);