mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2024-11-24 04:13:28 +01:00
Merge branch 'maint-0.4.5' into maint-0.4.6
This commit is contained in:
commit
69bd4a8a2d
9
changes/bug40391
Normal file
9
changes/bug40391
Normal file
@ -0,0 +1,9 @@
|
||||
o Major bugfixes (security):
|
||||
- Resist a hashtable-based CPU denial-of-service attack against
|
||||
relays. Previously we used a naive unkeyed hash function to look up
|
||||
circuits in a circuitmux object. An attacker could exploit this to
|
||||
construct circuits with chosen circuit IDs in order to try to create
|
||||
collisions and make the hash table inefficient. Now we use a SipHash
|
||||
construction for this hash table instead. Fixes bug 40391; bugfix on
|
||||
0.2.4.4-alpha. This issue is also tracked as TROVE-2021-005.
|
||||
Reported by Jann Horn from Google's Project Zero.
|
@ -169,9 +169,10 @@ chanid_circid_entries_eq(chanid_circid_muxinfo_t *a,
|
||||
static inline unsigned int
|
||||
chanid_circid_entry_hash(chanid_circid_muxinfo_t *a)
|
||||
{
|
||||
return (((unsigned int)(a->circ_id) << 8) ^
|
||||
((unsigned int)((a->chan_id >> 32) & 0xffffffff)) ^
|
||||
((unsigned int)(a->chan_id & 0xffffffff)));
|
||||
uint8_t data[8 + 4];
|
||||
set_uint64(data, a->chan_id);
|
||||
set_uint32(data + 8, a->circ_id);
|
||||
return (unsigned) siphash24g(data, sizeof(data));
|
||||
}
|
||||
|
||||
/* Emit a bunch of hash table stuff */
|
||||
|
Loading…
Reference in New Issue
Block a user