From 6c602026e8a9f5e115f4892162c513e3f44ae1da Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Wed, 2 Dec 2020 10:07:26 -0500 Subject: [PATCH] Detect extra bytes in HAProxy inbuf when transitioning to OR handshake This shouldn't be possible, but let's add it for defense-in-depth. Closes #40017. --- changes/ticket40017_redux | 3 +++ src/core/or/connection_or.c | 5 +++++ 2 files changed, 8 insertions(+) create mode 100644 changes/ticket40017_redux diff --git a/changes/ticket40017_redux b/changes/ticket40017_redux new file mode 100644 index 0000000000..b190e7080e --- /dev/null +++ b/changes/ticket40017_redux @@ -0,0 +1,3 @@ + o Minor features (protocol, proxy support, defense in depth): + - Close HAProxy connections if they somehow manage to send us data before + we start reading. Closes another case of ticket 40017. \ No newline at end of file diff --git a/src/core/or/connection_or.c b/src/core/or/connection_or.c index e3e81ed9cb..40c4441de6 100644 --- a/src/core/or/connection_or.c +++ b/src/core/or/connection_or.c @@ -686,6 +686,11 @@ connection_or_finished_flushing(or_connection_t *conn) /* PROXY_HAPROXY gets connected by receiving an ack. */ if (conn->proxy_type == PROXY_HAPROXY) { tor_assert(TO_CONN(conn)->proxy_state == PROXY_HAPROXY_WAIT_FOR_FLUSH); + IF_BUG_ONCE(buf_datalen(TO_CONN(conn)->inbuf) != 0) { + /* This should be impossible; we're not even reading. */ + connection_or_close_for_error(conn, 0); + return -1; + } TO_CONN(conn)->proxy_state = PROXY_CONNECTED; if (connection_tls_start_handshake(conn, 0) < 0) {