mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2024-11-28 06:13:31 +01:00
Detect bug 6252 (unexpected sendme cell)
I only check on circuits, not streams, since bloating your stream window past the initial circuit window can't help you much. Also, I compare to CIRCWINDOW_START_MAX so we don't have surprising races if we lower CIRCWINDOW_START for an experiment.
This commit is contained in:
parent
b355ddb20f
commit
c1bd104111
8
changes/bug6252
Normal file
8
changes/bug6252
Normal file
@ -0,0 +1,8 @@
|
||||
o Security fixes:
|
||||
- Tear down the circuit if we get an unexpected SENDME cell. Clients
|
||||
could use this trick to make their circuits receive cells faster
|
||||
than our flow control would have allowed, or to gum up the network,
|
||||
or possibly to do targeted memory denial-of-service attacks on
|
||||
entry nodes. Fixes bug 6252. Bugfix on the 54th commit on Tor --
|
||||
from July 2002, before the release of Tor 0.0.0.
|
||||
|
@ -1265,11 +1265,25 @@ connection_edge_process_relay_cell(cell_t *cell, circuit_t *circ,
|
||||
case RELAY_COMMAND_SENDME:
|
||||
if (!rh.stream_id) {
|
||||
if (layer_hint) {
|
||||
if (layer_hint->package_window + CIRCWINDOW_INCREMENT >
|
||||
CIRCWINDOW_START_MAX) {
|
||||
log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
|
||||
"Bug/attack: unexpected sendme cell from exit relay. "
|
||||
"Closing circ.");
|
||||
return -END_CIRC_REASON_TORPROTOCOL;
|
||||
}
|
||||
layer_hint->package_window += CIRCWINDOW_INCREMENT;
|
||||
log_debug(LD_APP,"circ-level sendme at origin, packagewindow %d.",
|
||||
layer_hint->package_window);
|
||||
circuit_resume_edge_reading(circ, layer_hint);
|
||||
} else {
|
||||
if (circ->package_window + CIRCWINDOW_INCREMENT >
|
||||
CIRCWINDOW_START_MAX) {
|
||||
log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
|
||||
"Bug/attack: unexpected sendme cell from client. "
|
||||
"Closing circ.");
|
||||
return -END_CIRC_REASON_TORPROTOCOL;
|
||||
}
|
||||
circ->package_window += CIRCWINDOW_INCREMENT;
|
||||
log_debug(LD_APP,
|
||||
"circ-level sendme at non-origin, packagewindow %d.",
|
||||
|
Loading…
Reference in New Issue
Block a user