Commit Graph

3110 Commits

Author SHA1 Message Date
Nick Mathewson
520cf21793 Move destroy cells into a separate queue type of their own, to save RAM
We've been seeing problems with destroy cells queues taking up a
huge amount of RAM.  We can mitigate this, since while a full packed
destroy cell takes 514 bytes, we only need 5 bytes to remember a
circuit ID and a reason.

Fixes bug 24666. Bugfix on 0.2.5.1-alpha, when destroy cell queues
were introduced.
2017-12-21 10:29:01 -05:00
Nick Mathewson
1deda2106b Merge branch 'bug24167_025' into maint-0.2.5 2017-12-11 16:56:28 -05:00
Nick Mathewson
f5d4bdf305 Merge remote-tracking branch 'public/ticket23856_025_01' into maint-0.2.5 2017-12-11 16:53:02 -05:00
Nick Mathewson
461e34bb3d Fix a clang compilation warning in rendservice.c
Fixes bug 24480; bugfix on 0.2.5.16.
2017-12-01 12:13:15 -05:00
Nick Mathewson
f49876d66e Merge branch 'trove-2017-012_025' into maint-0.2.5 2017-11-30 12:06:21 -05:00
Nick Mathewson
08ce39fb0f Merge branch 'trove-2017-011_025' into maint-0.2.5 2017-11-30 12:06:17 -05:00
Nick Mathewson
a6a0c7a4ec Merge branch 'trove-2017-009_025' into maint-0.2.5 2017-11-30 12:05:59 -05:00
Nick Mathewson
75509dc827 Fix changes file 2017-11-30 11:52:40 -05:00
David Goulet
6ab07419c8 Use local descriptor object to exclude self in path selection
TROVE-2017-12. Severity: Medium

When choosing a random node for a circuit, directly use our router
descriptor to exclude ourself instead of the one in the global
descriptor list. That list could be empty because tor could be
downloading them which could lead to not excluding ourself.

Closes #21534
2017-11-28 19:14:10 -05:00
Nick Mathewson
1880a6a88e Avoid asking for passphrase on junky PEM input
Fixes bug 24246 and TROVE-2017-011.

This bug is so old, it's in Matej's code.  Seems to have been
introduced with e01522bbed.
2017-11-27 15:25:03 -05:00
Nick Mathewson
2834cc9c18 Fix length of replaycache-checked data.
This is a regression; we should have been checking only the
public-key encrypted portion.  Fixes bug 24244, TROVE-2017-009, and
CVE-2017-8819.
2017-11-27 15:12:19 -05:00
David Goulet
8be50ca3ea relay: Change bandwidth stats interval to 24 hours
Going from 4 hours to 24 hours in order to try reduce the efficiency of guard
discovery attacks.

Closes #23856

Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-11-27 10:00:40 -05:00
Nick Mathewson
95238eb917 Fix a traceback when closing a blocked connection "immediately".
When we close a connection via connection_close_immediately, we kill
its events immediately. But if it had been blocked on bandwidth
read/write, we could try to re-add its (nonexistent) events later
from connection_bucket_refill -- if we got to that callback before
we swept the marked connections.

Fixes bug 24167.  Fortunately, this hasn't been a crash bug since we
introduced connection_check_event in 0.2.9.10, and backported it.

This is a bugfix on commit 89d422914a, I believe, which
appeared in Tor 0.1.0.1-rc.
2017-11-16 12:05:56 -05:00
Nick Mathewson
9f2efd02a1 Minimal implementation of bridge-distribution-request
Just advertise the line when we're a bridge, using "any" if we're
published or "none" if we aren't.

This is done in lieu of a full backport of #18329.
2017-11-13 20:44:51 -05:00
Karsten Loesing
6f8c32b7de Update geoip and geoip6 to the November 6 2017 database. 2017-11-10 10:14:09 +01:00
David Goulet
15a699462d dirauth: Add bastet to the default authorities
Fixes #23910

Based on a patch by dgoulet; backported to 0.2.5
2017-10-23 09:03:36 -04:00
Nick Mathewson
5d219ecf98 Update Longclaw's IP address; fixes 23592. 2017-10-17 14:00:30 -04:00
Nick Mathewson
2e21493a88 add missing subcategory in changes file 2017-10-05 11:04:54 -04:00
Karsten Loesing
b9d9b16b76 Update geoip and geoip6 to the October 4 2017 database. 2017-10-05 16:56:14 +02:00
Karsten Loesing
09618ffe38 Update geoip and geoip6 to the September 6 2017 database. 2017-09-07 21:06:16 +02:00
Karsten Loesing
1280de42a4 Update geoip and geoip6 to the August 3 2017 database. 2017-08-03 10:00:54 +02:00
Nick Mathewson
0bfd1c318c Merge branch 'maint-0.2.4' into maint-0.2.5 2017-08-01 11:19:28 -04:00
Nick Mathewson
6199e27a2b Merge remote-tracking branch 'karsten/geoip-jul2017' into maint-0.2.4 2017-08-01 11:19:24 -04:00
Nick Mathewson
09618bc488 Merge branch 'maint-0.2.4' into maint-0.2.5 2017-07-26 15:34:40 -04:00
Isis Lovecruft
7b4585e2a3
Add a changes file for bug22636. 2017-07-17 21:44:59 +00:00
Nick Mathewson
78dfa76ddc Merge branch 'maint-0.2.4' into maint-0.2.5 2017-07-07 10:51:28 -04:00
Nick Mathewson
b47249e0bb Mention TROVE-2017-007 in changes file for 22789 2017-07-07 10:51:25 -04:00
Karsten Loesing
b6acfa491e Update geoip and geoip6 to the July 4 2017 database. 2017-07-07 16:27:54 +02:00
Nick Mathewson
ff8c230d7c Merge branch 'maint-0.2.4' into maint-0.2.5 2017-07-05 13:42:26 -04:00
Nick Mathewson
bb3f74e66b Fix assertion failure related to openbsd strtol().
Fixes bug 22789; bugfix on 0.2.3.8-alpha.
2017-07-03 11:22:27 -04:00
Nick Mathewson
ccae991662 Merge branch 'maint-0.2.4' into maint-0.2.5 2017-06-27 11:04:44 -04:00
Nick Mathewson
8d2978b13c Fix an errant memset() into the middle of a struct in cell_pack().
This mistake causes two possible bugs. I believe they are both
harmless IRL.

BUG 1: memory stomping

When we call the memset, we are overwriting two 0 bytes past the end
of packed_cell_t.body. But I think that's harmless in practice,
because the definition of packed_cell_t is:

// ...
typedef struct packed_cell_t {
  TOR_SIMPLEQ_ENTRY(packed_cell_t) next;
  char body[CELL_MAX_NETWORK_SIZE];
  uint32_t inserted_time;
} packed_cell_t;

So we will overwrite either two bytes of inserted_time, or two bytes
of padding, depending on how the platform handles alignment.

If we're overwriting padding, that's safe.

If we are overwriting the inserted_time field, that's also safe: In
every case where we call cell_pack() from connection_or.c, we ignore
the inserted_time field. When we call cell_pack() from relay.c, we
don't set or use inserted_time until right after we have called
cell_pack(). SO I believe we're safe in that case too.

BUG 2: memory exposure

The original reason for this memset was to avoid the possibility of
accidentally leaking uninitialized ram to the network. Now
remember, if wide_circ_ids is false on a connection, we shouldn't
actually be sending more than 512 bytes of packed_cell_t.body, so
these two bytes can only leak to the network if there is another bug
somewhere else in the code that sends more data than is correct.

Fortunately, in relay.c, where we allocate packed_cell_t in
packed_cell_new() , we allocate it with tor_malloc_zero(), which
clears the RAM, right before we call cell_pack. So those
packed_cell_t.body bytes can't leak any information.

That leaves the two calls to cell_pack() in connection_or.c, which
use stack-alocated packed_cell_t instances.

In or_handshake_state_record_cell(), we pass the cell's contents to
crypto_digest_add_bytes(). When we do so, we get the number of
bytes to pass using the same setting of wide_circ_ids as we passed
to cell_pack(). So I believe that's safe.

In connection_or_write_cell_to_buf(), we also use the same setting
of wide_circ_ids in both calls. So I believe that's safe too.

I introduced this bug with 1c0e87f6d8
back in 0.2.4.11-alpha; it is bug 22737 and CID 1401591
2017-06-27 10:47:20 -04:00
Nick Mathewson
325c507a09 Merge branch 'maint-0.2.4' into maint-0.2.5 2017-06-09 09:58:45 -04:00
Karsten Loesing
104e8fa751 Update geoip and geoip6 to the June 8 2017 database. 2017-06-09 15:47:49 +02:00
Nick Mathewson
dec7998f5c Merge branch 'maint-0.2.4' into maint-0.2.5 2017-06-08 09:21:15 -04:00
David Goulet
56a7c5bc15 TROVE-2017-005: Fix assertion failure in connection_edge_process_relay_cell
On an hidden service rendezvous circuit, a BEGIN_DIR could be sent
(maliciously) which would trigger a tor_assert() because
connection_edge_process_relay_cell() thought that the circuit is an
or_circuit_t but is an origin circuit in reality.

Fixes #22494

Reported-by: Roger Dingledine <arma@torproject.org>
Signed-off-by: David Goulet <dgoulet@torproject.org>
2017-06-08 09:21:10 -04:00
Nick Mathewson
1a540b5792 Merge branch 'maint-0.2.4' into maint-0.2.5 2017-06-05 12:00:08 -04:00
Nick Mathewson
e3ebae4804 Fix undefined behavior in geoip_parse_entry().
Fixes bug 22490; bugfix on 6a241ff3ff in 0.2.4.6-alpha.

Found by teor using clang-5.0's AddressSanitizer stack-use-after-scope.
2017-06-05 10:09:39 -04:00
Nick Mathewson
68d6720452 Merge branch 'maint-0.2.4' into maint-0.2.5 2017-05-08 08:06:59 -04:00
Karsten Loesing
5207e41ffe Update geoip and geoip6 to the May 2 2017 database. 2017-05-08 10:09:42 +02:00
Nick Mathewson
a8a860e1da Merge branch 'maint-0.2.4' into maint-0.2.5 2017-04-06 08:31:12 -04:00
Karsten Loesing
9d7933296c Update geoip and geoip6 to the April 4 2017 database. 2017-04-06 10:52:39 +02:00
Nick Mathewson
933a1e7997 Merge branch 'maint-0.2.4' into maint-0.2.5 2017-03-08 10:10:29 -05:00
Karsten Loesing
4488c319dd Update geoip and geoip6 to the March 7 2017 database. 2017-03-08 09:41:35 +01:00
Nick Mathewson
a452b71395 Merge branch 'maint-0.2.4' into maint-0.2.5 2017-02-15 07:47:04 -05:00
Nick Mathewson
194e31057f Avoid integer underflow in tor_version_compare.
Fix for TROVE-2017-001 and bug 21278.

(Note: Instead of handling signed ints "correctly", we keep the old
behavior, except for the part where we would crash with -ftrapv.)
2017-02-14 16:10:27 -05:00
Roger Dingledine
635c5a8a92 be sure to remember the changes file for #20384 2017-02-13 15:22:36 -05:00
Nick Mathewson
124062e843 Merge branch 'maint-0.2.4' into maint-0.2.5 2017-02-13 14:37:01 -05:00
Karsten Loesing
f6016058b4 Update geoip and geoip6 to the February 8 2017 database. 2017-02-12 15:56:31 +01:00
Nick Mathewson
2ce4330249 Merge remote-tracking branch 'public/bug18710_025' into maint-0.2.5 2017-02-07 10:37:43 -05:00