nihilist/tor
1
0
Fork 0
mirror of https://gitlab.torproject.org/tpo/core/tor.git synced 2024-11-24 12:23:32 +01:00
Code Issues Packages Projects Releases Wiki Activity

Don't use any OR connection which sent us a CREATE_FAST cell for an EXTEND

Browse Source 
Fix suggested by Nick Mathewson.
This commit is contained in:
Robert Ransom 2011-10-23 14:27:56 -07:00 committed by Sebastian Hahn
parent 638fdedcf1
commit af12c39d6d
4 changed files with 24 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
changes/issue-2011-10-19L
View File

@ -10,3 +10,12 @@
upgrade. Fixes CVE-2011-2768. Bugfix on FIXME; found by upgrade. Fixes CVE-2011-2768. Bugfix on FIXME; found by
frosty_un. frosty_un.
- Don't use any OR connection on which we have received a
CREATE_FAST cell to satisfy an EXTEND request. Previously, we
would not consider whether a connection appears to be from a
client or bridge when deciding whether to use that connection to
satisfy an EXTEND request. Mitigates CVE-2011-2768, by
preventing an attacker from determining whether an unpatched
client is connected to a patched relay. Bugfix on FIXME; found
by frosty_un.

6
src/or/command.c
View File

@ -285,7 +285,13 @@ command_process_create_cell(cell_t *cell, or_connection_t *conn)
* a CPU worker. */ * a CPU worker. */
char keys[CPATH_KEY_MATERIAL_LEN]; char keys[CPATH_KEY_MATERIAL_LEN];
char reply[DIGEST_LEN*2]; char reply[DIGEST_LEN*2];
tor_assert(cell->command == CELL_CREATE_FAST); tor_assert(cell->command == CELL_CREATE_FAST);
/* Make sure we never try to use the OR connection on which we
* received this cell to satisfy an EXTEND request, */
conn->is_connection_with_client = 1;
if (fast_server_handshake(cell->payload, (uint8_t*)reply, if (fast_server_handshake(cell->payload, (uint8_t*)reply,
(uint8_t*)keys, sizeof(keys))<0) { (uint8_t*)keys, sizeof(keys))<0) {
log_warn(LD_OR,"Failed to generate key material. Closing."); log_warn(LD_OR,"Failed to generate key material. Closing.");

5
src/or/connection_or.c
View File

@ -519,6 +519,11 @@ connection_or_get_for_extend(const char *digest,
tor_assert(tor_memeq(conn->identity_digest, digest, DIGEST_LEN)); tor_assert(tor_memeq(conn->identity_digest, digest, DIGEST_LEN));
if (conn->_base.marked_for_close) if (conn->_base.marked_for_close)
continue; continue;
/* Never return a connection on which the other end appears to be
* a client. */
if (conn->is_connection_with_client) {
continue;
}
/* Never return a non-open connection. */ /* Never return a non-open connection. */
if (conn->_base.state != OR_CONN_STATE_OPEN) { if (conn->_base.state != OR_CONN_STATE_OPEN) {
/* If the address matches, don't launch a new connection for this /* If the address matches, don't launch a new connection for this

4
src/or/or.h
View File

@ -1031,6 +1031,10 @@ typedef struct or_connection_t {
* because the connection is too old, or because there's a better one, etc. * because the connection is too old, or because there's a better one, etc.
*/ */
unsigned int is_bad_for_new_circs:1; unsigned int is_bad_for_new_circs:1;
/** True iff we have decided that the other end of this connection
* is a client. Connections with this flag set should never be used
* to satisfy an EXTEND request. */
unsigned int is_connection_with_client:1;
uint8_t link_proto; /**< What protocol version are we using? 0 for uint8_t link_proto; /**< What protocol version are we using? 0 for
* "none negotiated yet." */ * "none negotiated yet." */
circid_t next_circ_id; /**< Which circ_id do we try to use next on circid_t next_circ_id; /**< Which circ_id do we try to use next on