[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #10777 [Tor]: Remotely triggerable circuit destruction by path bias code
#10777: Remotely triggerable circuit destruction by path bias code
-----------------------------+-----------------------------------
Reporter: cypherpunks | Owner:
Type: defect | Status: needs_information
Priority: major | Milestone: Tor: 0.2.4.x-final
Component: Tor | Version:
Resolution: | Keywords: tor-client regression
Actual Points: | Parent ID:
Points: |
-----------------------------+-----------------------------------
Comment (by cypherpunks):
Client sends begin cell with something-trigger.
Exit relay process it and does:
connection_exit_connect:
{{{
log_debug(LD_EXIT,"about to try connecting");
switch (connection_connect(conn, conn->address, addr, port,
&socket_error)) {
case -1: {
int reason = errno_to_stream_end_reason(socket_error);
connection_edge_end(edge_conn, reason);
}}}
errno_to_stream_end_reason:
{{{
E_CASE(EBADF):
E_CASE(EFAULT):
E_CASE(EINVAL):
S_CASE(EISCONN):
S_CASE(ENOTSOCK):
S_CASE(EPROTONOSUPPORT):
S_CASE(EAFNOSUPPORT):
E_CASE(EACCES):
S_CASE(ENOTCONN):
S_CASE(ENETUNREACH):
return END_STREAM_REASON_INTERNAL;
}}}
Exit sent relay_end cell.
Client process this cell by connection_ap_process_end_not_open.
{{{
if (rh->length > 0) {
if (reason == END_STREAM_REASON_TORPROTOCOL ||
reason == END_STREAM_REASON_INTERNAL ||
reason == END_STREAM_REASON_DESTROY) {
/* All three of these reasons could mean a failed tag
* hit the exit and it complained. Do not probe.
* Fail the circuit. */
circ->path_state = PATH_STATE_USE_FAILED;
log_warn(LD_APP,"Got '%d' end reason.", reason);
return -END_CIRC_REASON_TORPROTOCOL;
}}}
Client destroys circuit, detaches all streams and close them.
First, it's bug for exit side to count some of those reasons as internal.
(EHOSTUNREACH counted as END_STREAM_REASON_NOROUTE while ENETUNREACH is
internal for some reason)
Second, it's bug in general to use stream end reason for path bias
detection purpose. Without warns (except non informative
"connection_edge_process_relay_cell (at origin) failed."), without chance
to reattach not yet connected streams to new circuit, with destroying all
already attached streams. With reasons that choosed by exit under external
preasure.
That was series of minor bugs, now it's solid remotely triggerable ciruit
destruction.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/10777#comment:7>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs