[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #31107 [Core Tor/Tor]: channel: channel_tls_handle_cell() CELL_VERSIONS code reached



#31107: channel: channel_tls_handle_cell() CELL_VERSIONS code reached
-------------------------------------------------+-------------------------
 Reporter:  dgoulet                              |          Owner:  nickm
     Type:  defect                               |         Status:
                                                 |  accepted
 Priority:  High                                 |      Milestone:  Tor:
                                                 |  0.4.2.x-final
Component:  Core Tor/Tor                         |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  tor-relay, tor-channel 042-must      |  Actual Points:
  029-backport? 035-backport 040-backport        |
  041-backport BugSmashFund                      |
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------
Changes (by nickm):

 * keywords:  tor-relay, tor-channel security 042-must =>
     tor-relay, tor-channel 042-must 029-backport? 035-backport
     040-backport 041-backport BugSmashFund
 * priority:  Very High => High


Comment:

 Okay, this is a bug, and an old one.  It looks like our logic in
 connection_or_process_cells_from_inbuf() is wrong in the way that it
 handles variable-length cells.

 Basically, what it is doing right now it this:
 {{{
 try to fetch var_cell_t from buffer.
 if (we got a var_cell_t) {
    give it to the channel layer.
    return
 }
 see whether we have more than 512/514 bytes on the buffer
 if (we do) {
    package it as a cell_t
    give it to the channel layer
    return;
 }
 wait for more data
 }}}

 See the problem?  If we have a pending incomplete variable-length cell of
 more than 512/514 bytes, it will get mis-packaged as a regular fixed-
 length cell.

 What fun!

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/31107#comment:8>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs