mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2024-11-28 06:13:31 +01:00
Don't use any OR connection which sent us a CREATE_FAST cell for an EXTEND
Fix suggested by Nick Mathewson.
This commit is contained in:
parent
638fdedcf1
commit
af12c39d6d
@ -10,3 +10,12 @@
|
||||
upgrade. Fixes CVE-2011-2768. Bugfix on FIXME; found by
|
||||
frosty_un.
|
||||
|
||||
- Don't use any OR connection on which we have received a
|
||||
CREATE_FAST cell to satisfy an EXTEND request. Previously, we
|
||||
would not consider whether a connection appears to be from a
|
||||
client or bridge when deciding whether to use that connection to
|
||||
satisfy an EXTEND request. Mitigates CVE-2011-2768, by
|
||||
preventing an attacker from determining whether an unpatched
|
||||
client is connected to a patched relay. Bugfix on FIXME; found
|
||||
by frosty_un.
|
||||
|
||||
|
@ -285,7 +285,13 @@ command_process_create_cell(cell_t *cell, or_connection_t *conn)
|
||||
* a CPU worker. */
|
||||
char keys[CPATH_KEY_MATERIAL_LEN];
|
||||
char reply[DIGEST_LEN*2];
|
||||
|
||||
tor_assert(cell->command == CELL_CREATE_FAST);
|
||||
|
||||
/* Make sure we never try to use the OR connection on which we
|
||||
* received this cell to satisfy an EXTEND request, */
|
||||
conn->is_connection_with_client = 1;
|
||||
|
||||
if (fast_server_handshake(cell->payload, (uint8_t*)reply,
|
||||
(uint8_t*)keys, sizeof(keys))<0) {
|
||||
log_warn(LD_OR,"Failed to generate key material. Closing.");
|
||||
|
@ -519,6 +519,11 @@ connection_or_get_for_extend(const char *digest,
|
||||
tor_assert(tor_memeq(conn->identity_digest, digest, DIGEST_LEN));
|
||||
if (conn->_base.marked_for_close)
|
||||
continue;
|
||||
/* Never return a connection on which the other end appears to be
|
||||
* a client. */
|
||||
if (conn->is_connection_with_client) {
|
||||
continue;
|
||||
}
|
||||
/* Never return a non-open connection. */
|
||||
if (conn->_base.state != OR_CONN_STATE_OPEN) {
|
||||
/* If the address matches, don't launch a new connection for this
|
||||
|
@ -1031,6 +1031,10 @@ typedef struct or_connection_t {
|
||||
* because the connection is too old, or because there's a better one, etc.
|
||||
*/
|
||||
unsigned int is_bad_for_new_circs:1;
|
||||
/** True iff we have decided that the other end of this connection
|
||||
* is a client. Connections with this flag set should never be used
|
||||
* to satisfy an EXTEND request. */
|
||||
unsigned int is_connection_with_client:1;
|
||||
uint8_t link_proto; /**< What protocol version are we using? 0 for
|
||||
* "none negotiated yet." */
|
||||
circid_t next_circ_id; /**< Which circ_id do we try to use next on
|
||||
|
Loading…
Reference in New Issue
Block a user