Verify cpath_layer match on rendezvous cells too. Fixes another case of bug 446. Based on patch from rovv.

svn:r17162
2024-11-23 20:03:31 +01:00 · 2008-10-27 16:46:45 +00:00 · 2008-10-27 16:46:45 +00:00 · ee31e0829e
commit ee31e0829e
parent 0ab45fee73
4 changed files with 19 additions and 6 deletions
--- a/4
+++ b/4
@ -37,6 +37,10 @@ Changes in version 0.2.1.7-alpha - 2008-10-xx
    - Fix another case of assuming, when a specific exit is requested,
      that we know more than the user about what hosts it allows.
      Fixes another case of bug 752.  Patch from rovv.
+    - Check which hops rendezvous stream cells are associated with to
+      prevent possible guess-the-streamid injection attacks from
+      intermediate hops.  Fixes another case of bug 446. Based on patch
+      from rovv.


 Changes in version 0.2.1.6-alpha - 2008-09-30
--- a/src/or/or.h
+++ b/src/or/or.h
@ -3963,8 +3963,8 @@ rend_data_free(rend_data_t *data)

 int rend_cmp_service_ids(const char *one, const char *two);

-void rend_process_relay_cell(circuit_t *circ, int command, size_t length,
-                             const char *payload);
+void rend_process_relay_cell(circuit_t *circ, const crypt_path_t *layer_hint,
+                             int command, size_t length, const char *payload);

 void rend_service_descriptor_free(rend_service_descriptor_t *desc);
 int rend_encode_service_descriptor(rend_service_descriptor_t *desc,
--- a/src/or/relay.c
+++ b/src/or/relay.c
@ -1151,7 +1151,8 @@ connection_edge_process_relay_cell(cell_t *cell, circuit_t *circ,
    case RELAY_COMMAND_RENDEZVOUS2:
    case RELAY_COMMAND_INTRO_ESTABLISHED:
    case RELAY_COMMAND_RENDEZVOUS_ESTABLISHED:
-      rend_process_relay_cell(circ, rh.command, rh.length,
+      rend_process_relay_cell(circ, layer_hint,
+                              rh.command, rh.length,
                              cell->payload+RELAY_HEADER_SIZE);
      return 0;
  }
--- a/src/or/rendcommon.c
+++ b/src/or/rendcommon.c
@ -1387,16 +1387,24 @@ rend_cache_store_v2_desc_as_client(const char *desc,
 /** Called when we get a rendezvous-related relay cell on circuit
 * <b>circ</b>.  Dispatch on rendezvous relay command. */
 void
-rend_process_relay_cell(circuit_t *circ, int command, size_t length,
+rend_process_relay_cell(circuit_t *circ, const crypt_path_t *layer_hint,
+                        int command, size_t length,
                        const char *payload)
 {
  or_circuit_t *or_circ = NULL;
  origin_circuit_t *origin_circ = NULL;
  int r = -2;
-  if (CIRCUIT_IS_ORIGIN(circ))
+  if (CIRCUIT_IS_ORIGIN(circ)) {
    origin_circ = TO_ORIGIN_CIRCUIT(circ);
-  else
+    if (layer_hint && layer_hint != origin_circ->cpath->prev) {
+      log_fn(LOG_PROTOCOL_WARN, LD_APP,
+             "Relay cell (rend purpose %d) from wrong hop on origin circ",
+             command);
+      origin_circ = NULL;
+    }
+  } else {
    or_circ = TO_OR_CIRCUIT(circ);
+  }

  switch (command) {
    case RELAY_COMMAND_ESTABLISH_INTRO: