Merge remote-tracking branch 'public/bug6252_again' into maint-0.2.3

This commit is contained in:
Nick Mathewson 2012-08-09 10:50:11 -04:00
commit 91b52a259a
2 changed files with 25 additions and 0 deletions

11
changes/bug6252_again Normal file
View File

@ -0,0 +1,11 @@
o Security fixes:
- Tear down the circuit if we get an unexpected SENDME cell. Clients
could use this trick to make their circuits receive cells faster
than our flow control would have allowed, or to gum up the network,
or possibly to do targeted memory denial-of-service attacks on
entry nodes. Fixes bug 6252. Bugfix on the 54th commit on Tor --
from July 2002, before the release of Tor 0.0.0. We had committed
this patch previously, but we had to revert it because of bug 6271.
Now that 6271 is fixed, this appears to work.

View File

@ -1265,11 +1265,25 @@ connection_edge_process_relay_cell(cell_t *cell, circuit_t *circ,
case RELAY_COMMAND_SENDME:
if (!rh.stream_id) {
if (layer_hint) {
if (layer_hint->package_window + CIRCWINDOW_INCREMENT >
CIRCWINDOW_START_MAX) {
log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
"Bug/attack: unexpected sendme cell from exit relay. "
"Closing circ.");
return -END_CIRC_REASON_TORPROTOCOL;
}
layer_hint->package_window += CIRCWINDOW_INCREMENT;
log_debug(LD_APP,"circ-level sendme at origin, packagewindow %d.",
layer_hint->package_window);
circuit_resume_edge_reading(circ, layer_hint);
} else {
if (circ->package_window + CIRCWINDOW_INCREMENT >
CIRCWINDOW_START_MAX) {
log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
"Bug/attack: unexpected sendme cell from client. "
"Closing circ.");
return -END_CIRC_REASON_TORPROTOCOL;
}
circ->package_window += CIRCWINDOW_INCREMENT;
log_debug(LD_APP,
"circ-level sendme at non-origin, packagewindow %d.",