Merge branch 'maint-0.2.8' into release-0.2.8

This commit is contained in:
Nick Mathewson 2017-12-21 10:58:20 -05:00
commit 89f40ba97a
7 changed files with 126 additions and 34 deletions

7
changes/bug24666 Normal file
View File

@ -0,0 +1,7 @@
o Minor bugfixes (memory usage):
- When queuing DESTROY cells on a channel, only queue the
circuit-id and reason fields: not the entire 514-byte
cell. This fix should help mitigate any bugs or attacks that
fill up these queues, and free more RAM for other uses. Fixes
bug 24666; bugfix on 0.2.5.1-alpha.

View File

@ -117,7 +117,7 @@ struct circuitmux_s {
struct circuit_t *active_circuits_head, *active_circuits_tail; struct circuit_t *active_circuits_head, *active_circuits_tail;
/** List of queued destroy cells */ /** List of queued destroy cells */
cell_queue_t destroy_cell_queue; destroy_cell_queue_t destroy_cell_queue;
/** Boolean: True iff the last cell to circuitmux_get_first_active_circuit /** Boolean: True iff the last cell to circuitmux_get_first_active_circuit
* returned the destroy queue. Used to force alternation between * returned the destroy queue. Used to force alternation between
* destroy/non-destroy cells. * destroy/non-destroy cells.
@ -383,7 +383,7 @@ circuitmux_alloc(void)
rv = tor_malloc_zero(sizeof(*rv)); rv = tor_malloc_zero(sizeof(*rv));
rv->chanid_circid_map = tor_malloc_zero(sizeof(*( rv->chanid_circid_map))); rv->chanid_circid_map = tor_malloc_zero(sizeof(*( rv->chanid_circid_map)));
HT_INIT(chanid_circid_muxinfo_map, rv->chanid_circid_map); HT_INIT(chanid_circid_muxinfo_map, rv->chanid_circid_map);
cell_queue_init(&rv->destroy_cell_queue); destroy_cell_queue_init(&rv->destroy_cell_queue);
return rv; return rv;
} }
@ -522,20 +522,11 @@ circuitmux_detach_all_circuits(circuitmux_t *cmux, smartlist_t *detached_out)
void void
circuitmux_mark_destroyed_circids_usable(circuitmux_t *cmux, channel_t *chan) circuitmux_mark_destroyed_circids_usable(circuitmux_t *cmux, channel_t *chan)
{ {
packed_cell_t *cell; destroy_cell_t *cell;
int n_bad = 0;
TOR_SIMPLEQ_FOREACH(cell, &cmux->destroy_cell_queue.head, next) { TOR_SIMPLEQ_FOREACH(cell, &cmux->destroy_cell_queue.head, next) {
circid_t circid = 0; channel_mark_circid_usable(chan, cell->circid);
if (packed_cell_is_destroy(chan, cell, &circid)) {
channel_mark_circid_usable(chan, circid);
} else {
++n_bad;
} }
} }
if (n_bad)
log_warn(LD_BUG, "%d cell(s) on destroy queue did not look like a "
"DESTROY cell.", n_bad);
}
/** /**
* Free a circuitmux_t; the circuits must be detached first with * Free a circuitmux_t; the circuits must be detached first with
@ -591,7 +582,7 @@ circuitmux_free(circuitmux_t *cmux)
I64_PRINTF_ARG(global_destroy_ctr)); I64_PRINTF_ARG(global_destroy_ctr));
} }
cell_queue_clear(&cmux->destroy_cell_queue); destroy_cell_queue_clear(&cmux->destroy_cell_queue);
tor_free(cmux); tor_free(cmux);
} }
@ -1469,7 +1460,7 @@ circuitmux_set_num_cells(circuitmux_t *cmux, circuit_t *circ,
circuit_t * circuit_t *
circuitmux_get_first_active_circuit(circuitmux_t *cmux, circuitmux_get_first_active_circuit(circuitmux_t *cmux,
cell_queue_t **destroy_queue_out) destroy_cell_queue_t **destroy_queue_out)
{ {
circuit_t *circ = NULL; circuit_t *circ = NULL;
@ -1885,14 +1876,7 @@ circuitmux_append_destroy_cell(channel_t *chan,
circid_t circ_id, circid_t circ_id,
uint8_t reason) uint8_t reason)
{ {
cell_t cell; destroy_cell_queue_append(&cmux->destroy_cell_queue, circ_id, reason);
memset(&cell, 0, sizeof(cell_t));
cell.circ_id = circ_id;
cell.command = CELL_DESTROY;
cell.payload[0] = (uint8_t) reason;
cell_queue_append_packed_copy(NULL, &cmux->destroy_cell_queue, 0, &cell,
chan->wide_circ_ids, 0);
/* Destroy entering the queue, update counters */ /* Destroy entering the queue, update counters */
++(cmux->destroy_ctr); ++(cmux->destroy_ctr);
@ -1925,13 +1909,13 @@ circuitmux_count_queued_destroy_cells(const channel_t *chan,
int64_t manual_total = 0; int64_t manual_total = 0;
int64_t manual_total_in_map = 0; int64_t manual_total_in_map = 0;
packed_cell_t *cell; destroy_cell_t *cell;
TOR_SIMPLEQ_FOREACH(cell, &cmux->destroy_cell_queue.head, next) { TOR_SIMPLEQ_FOREACH(cell, &cmux->destroy_cell_queue.head, next) {
circid_t id; circid_t id;
++manual_total; ++manual_total;
id = packed_cell_get_circid(cell, chan->wide_circ_ids); id = cell->circid;
if (circuit_id_in_use_on_channel(id, (channel_t*)chan)) if (circuit_id_in_use_on_channel(id, (channel_t*)chan))
++manual_total_in_map; ++manual_total_in_map;
} }

View File

@ -131,7 +131,7 @@ int64_t circuitmux_count_queued_destroy_cells(const channel_t *chan,
/* Channel interface */ /* Channel interface */
circuit_t * circuitmux_get_first_active_circuit(circuitmux_t *cmux, circuit_t * circuitmux_get_first_active_circuit(circuitmux_t *cmux,
cell_queue_t **destroy_queue_out); destroy_cell_queue_t **destroy_queue_out);
void circuitmux_notify_xmit_cells(circuitmux_t *cmux, circuit_t *circ, void circuitmux_notify_xmit_cells(circuitmux_t *cmux, circuit_t *circ,
unsigned int n_cells); unsigned int n_cells);
void circuitmux_notify_xmit_destroy(circuitmux_t *cmux); void circuitmux_notify_xmit_destroy(circuitmux_t *cmux);

View File

@ -1134,6 +1134,21 @@ typedef struct cell_queue_t {
int n; /**< The number of cells in the queue. */ int n; /**< The number of cells in the queue. */
} cell_queue_t; } cell_queue_t;
/** A single queued destroy cell. */
typedef struct destroy_cell_t {
TOR_SIMPLEQ_ENTRY(destroy_cell_t) next;
circid_t circid;
uint32_t inserted_time; /** Timestamp when this was queued. */
uint8_t reason;
} destroy_cell_t;
/** A queue of destroy cells on a channel. */
typedef struct destroy_cell_queue_t {
/** Linked list of packed_cell_t */
TOR_SIMPLEQ_HEAD(dcell_simpleq, destroy_cell_t) head;
int n; /**< The number of cells in the queue. */
} destroy_cell_queue_t;
/** Beginning of a RELAY cell payload. */ /** Beginning of a RELAY cell payload. */
typedef struct { typedef struct {
uint8_t command; /**< The end-to-end relay command. */ uint8_t command; /**< The end-to-end relay command. */

View File

@ -2367,6 +2367,75 @@ cell_queue_pop(cell_queue_t *queue)
return cell; return cell;
} }
/** Initialize <b>queue</b> as an empty cell queue. */
void
destroy_cell_queue_init(destroy_cell_queue_t *queue)
{
memset(queue, 0, sizeof(destroy_cell_queue_t));
TOR_SIMPLEQ_INIT(&queue->head);
}
/** Remove and free every cell in <b>queue</b>. */
void
destroy_cell_queue_clear(destroy_cell_queue_t *queue)
{
destroy_cell_t *cell;
while ((cell = TOR_SIMPLEQ_FIRST(&queue->head))) {
TOR_SIMPLEQ_REMOVE_HEAD(&queue->head, next);
tor_free(cell);
}
TOR_SIMPLEQ_INIT(&queue->head);
queue->n = 0;
}
/** Extract and return the cell at the head of <b>queue</b>; return NULL if
* <b>queue</b> is empty. */
STATIC destroy_cell_t *
destroy_cell_queue_pop(destroy_cell_queue_t *queue)
{
destroy_cell_t *cell = TOR_SIMPLEQ_FIRST(&queue->head);
if (!cell)
return NULL;
TOR_SIMPLEQ_REMOVE_HEAD(&queue->head, next);
--queue->n;
return cell;
}
/** Append a destroy cell for <b>circid</b> to <b>queue</b>. */
void
destroy_cell_queue_append(destroy_cell_queue_t *queue,
circid_t circid,
uint8_t reason)
{
struct timeval now;
destroy_cell_t *cell = tor_malloc_zero(sizeof(destroy_cell_t));
cell->circid = circid;
cell->reason = reason;
tor_gettimeofday_cached_monotonic(&now);
/* Not yet used, but will be required for OOM handling. */
cell->inserted_time = (uint32_t)tv_to_msec(&now);
TOR_SIMPLEQ_INSERT_TAIL(&queue->head, cell, next);
++queue->n;
}
/** Convert a destroy_cell_t to a newly allocated cell_t. Frees its input. */
static packed_cell_t *
destroy_cell_to_packed_cell(destroy_cell_t *inp, int wide_circ_ids)
{
packed_cell_t *packed = packed_cell_new();
cell_t cell;
memset(&cell, 0, sizeof(cell));
cell.circ_id = inp->circid;
cell.command = CELL_DESTROY;
cell.payload[0] = inp->reason;
cell_pack(packed, &cell, wide_circ_ids);
tor_free(inp);
return packed;
}
/** Return the total number of bytes used for each packed_cell in a queue. /** Return the total number of bytes used for each packed_cell in a queue.
* Approximate. */ * Approximate. */
size_t size_t
@ -2576,7 +2645,8 @@ channel_flush_from_first_active_circuit, (channel_t *chan, int max))
{ {
circuitmux_t *cmux = NULL; circuitmux_t *cmux = NULL;
int n_flushed = 0; int n_flushed = 0;
cell_queue_t *queue, *destroy_queue=NULL; cell_queue_t *queue;
destroy_cell_queue_t *destroy_queue=NULL;
circuit_t *circ; circuit_t *circ;
or_circuit_t *or_circ; or_circuit_t *or_circ;
int streams_blocked; int streams_blocked;
@ -2591,9 +2661,17 @@ channel_flush_from_first_active_circuit, (channel_t *chan, int max))
while (n_flushed < max) { while (n_flushed < max) {
circ = circuitmux_get_first_active_circuit(cmux, &destroy_queue); circ = circuitmux_get_first_active_circuit(cmux, &destroy_queue);
if (destroy_queue) { if (destroy_queue) {
destroy_cell_t *dcell;
/* this code is duplicated from some of the logic below. Ugly! XXXX */ /* this code is duplicated from some of the logic below. Ugly! XXXX */
/* If we are given a destroy_queue here, then it is required to be
* nonempty... */
tor_assert(destroy_queue->n > 0); tor_assert(destroy_queue->n > 0);
cell = cell_queue_pop(destroy_queue); dcell = destroy_cell_queue_pop(destroy_queue);
/* ...and pop() will always yield a cell from a nonempty queue. */
tor_assert(dcell);
/* frees dcell */
cell = destroy_cell_to_packed_cell(dcell, chan->wide_circ_ids);
/* frees cell */
channel_write_packed_cell(chan, cell); channel_write_packed_cell(chan, cell);
/* Update the cmux destroy counter */ /* Update the cmux destroy counter */
circuitmux_notify_xmit_destroy(cmux); circuitmux_notify_xmit_destroy(cmux);

View File

@ -60,6 +60,13 @@ void cell_queue_append_packed_copy(circuit_t *circ, cell_queue_t *queue,
void append_cell_to_circuit_queue(circuit_t *circ, channel_t *chan, void append_cell_to_circuit_queue(circuit_t *circ, channel_t *chan,
cell_t *cell, cell_direction_t direction, cell_t *cell, cell_direction_t direction,
streamid_t fromstream); streamid_t fromstream);
void destroy_cell_queue_init(destroy_cell_queue_t *queue);
void destroy_cell_queue_clear(destroy_cell_queue_t *queue);
void destroy_cell_queue_append(destroy_cell_queue_t *queue,
circid_t circid,
uint8_t reason);
void channel_unlink_all_circuits(channel_t *chan, smartlist_t *detached_out); void channel_unlink_all_circuits(channel_t *chan, smartlist_t *detached_out);
MOCK_DECL(int, channel_flush_from_first_active_circuit, MOCK_DECL(int, channel_flush_from_first_active_circuit,
(channel_t *chan, int max)); (channel_t *chan, int max));
@ -99,6 +106,7 @@ STATIC int connection_edge_process_resolved_cell(edge_connection_t *conn,
const relay_header_t *rh); const relay_header_t *rh);
STATIC packed_cell_t *packed_cell_new(void); STATIC packed_cell_t *packed_cell_new(void);
STATIC packed_cell_t *cell_queue_pop(cell_queue_t *queue); STATIC packed_cell_t *cell_queue_pop(cell_queue_t *queue);
STATIC destroy_cell_t *destroy_cell_queue_pop(destroy_cell_queue_t *queue);
STATIC size_t cell_queues_get_total_allocation(void); STATIC size_t cell_queues_get_total_allocation(void);
STATIC int cell_queues_check_size(void); STATIC int cell_queues_check_size(void);
#endif #endif

View File

@ -34,8 +34,9 @@ test_cmux_destroy_cell_queue(void *arg)
circuitmux_t *cmux = NULL; circuitmux_t *cmux = NULL;
channel_t *ch = NULL; channel_t *ch = NULL;
circuit_t *circ = NULL; circuit_t *circ = NULL;
cell_queue_t *cq = NULL; destroy_cell_queue_t *cq = NULL;
packed_cell_t *pc = NULL; packed_cell_t *pc = NULL;
destroy_cell_t *dc = NULL;
scheduler_init(); scheduler_init();
@ -63,11 +64,9 @@ test_cmux_destroy_cell_queue(void *arg)
tt_int_op(cq->n, OP_EQ, 3); tt_int_op(cq->n, OP_EQ, 3);
pc = cell_queue_pop(cq); dc = destroy_cell_queue_pop(cq);
tt_assert(pc); tt_assert(dc);
tt_mem_op(pc->body, OP_EQ, "\x00\x00\x00\x64\x04\x0a\x00\x00\x00", 9); tt_uint_op(dc->circid, OP_EQ, 100);
packed_cell_free(pc);
pc = NULL;
tt_int_op(circuitmux_num_cells(cmux), OP_EQ, 2); tt_int_op(circuitmux_num_cells(cmux), OP_EQ, 2);
@ -75,6 +74,7 @@ test_cmux_destroy_cell_queue(void *arg)
circuitmux_free(cmux); circuitmux_free(cmux);
channel_free(ch); channel_free(ch);
packed_cell_free(pc); packed_cell_free(pc);
tor_free(dc);
} }
struct testcase_t circuitmux_tests[] = { struct testcase_t circuitmux_tests[] = {