Merge branch 'bug7889_023' into maint-0.2.3

This commit is contained in:
Nick Mathewson 2013-01-15 16:30:07 -05:00
commit ae15b55173
3 changed files with 33 additions and 0 deletions

8
changes/bug7889 Normal file
View File

@ -0,0 +1,8 @@
o Major bugfixes:
- Reject bogus create and relay cells with 0 circuit ID or 0 stream
ID: these could be used to create unexpected streams and circuits
which would count as "present" to some parts of Tor but "absent"
to others, leading to zombie circuits and streams or to a
bandwidth DOS. Fixes bug 7889; bugfix on every released version of
Tor. Reported by "oftc_must_be_destroyed".

View File

@ -382,6 +382,14 @@ command_process_create_cell(cell_t *cell, or_connection_t *conn)
return;
}
if (cell->circ_id == 0) {
log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
"Received a create cell (type %d) from %s:%d with zero circID; "
" ignoring.", (int)cell->command, conn->_base.address,
conn->_base.port);
return;
}
/* If the high bit of the circuit ID is not as expected, close the
* circ. */
id_is_high = cell->circ_id & (1<<15);

View File

@ -1046,6 +1046,23 @@ connection_edge_process_relay_cell(cell_t *cell, circuit_t *circ,
return - END_CIRC_REASON_TORPROTOCOL;
}
if (rh.stream_id == 0) {
switch (rh.command) {
case RELAY_COMMAND_BEGIN:
case RELAY_COMMAND_CONNECTED:
case RELAY_COMMAND_DATA:
case RELAY_COMMAND_END:
case RELAY_COMMAND_RESOLVE:
case RELAY_COMMAND_RESOLVED:
case RELAY_COMMAND_BEGIN_DIR:
log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL, "Relay command %d with zero "
"stream_id. Dropping.", (int)rh.command);
return 0;
default:
;
}
}
/* either conn is NULL, in which case we've got a control cell, or else
* conn points to the recognized stream. */