[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[or-cvs] r17869: {tor} Backport r17162 and r17164: verify cpath_layer match on rend (in tor/branches/tor-0_2_0-patches: . doc src/or)
Author: nickm
Date: 2009-01-03 22:03:45 -0500 (Sat, 03 Jan 2009)
New Revision: 17869
Modified:
tor/branches/tor-0_2_0-patches/ChangeLog
tor/branches/tor-0_2_0-patches/doc/TODO.020
tor/branches/tor-0_2_0-patches/src/or/or.h
tor/branches/tor-0_2_0-patches/src/or/relay.c
tor/branches/tor-0_2_0-patches/src/or/rendcommon.c
Log:
Backport r17162 and r17164: verify cpath_layer match on rendezvous cells too. Fixes another case of bug 446. Based on a patch from rovv.
Modified: tor/branches/tor-0_2_0-patches/ChangeLog
===================================================================
--- tor/branches/tor-0_2_0-patches/ChangeLog 2009-01-04 03:03:40 UTC (rev 17868)
+++ tor/branches/tor-0_2_0-patches/ChangeLog 2009-01-04 03:03:45 UTC (rev 17869)
@@ -1,4 +1,4 @@
-Changes in version 0.2.0.33 - 200?-??-??
+Changes in version 0.2.0.33 - 2009-??-??
o Major bugfixes:
- When a stream at an exit relay is in state "resolving" or
"connecting" and it receives an "end" relay cell, the exit relay
@@ -52,6 +52,10 @@
- Send a valid END cell back when a client tries to connect to a
nonexistent hidden service port. Bugfix on 0.1.2.15. Fixes bug
840. Patch from rovv.
+ - Check which hops rendezvous stream cells are associated with to
+ prevent possible guess-the-streamid injection attacks from
+ intermediate hops. Fixes another case of bug 446. Based on patch
+ from rovv.
o Minor features:
- Report the case where all signatures in a detached set are rejected
Modified: tor/branches/tor-0_2_0-patches/doc/TODO.020
===================================================================
--- tor/branches/tor-0_2_0-patches/doc/TODO.020 2009-01-04 03:03:40 UTC (rev 17868)
+++ tor/branches/tor-0_2_0-patches/doc/TODO.020 2009-01-04 03:03:45 UTC (rev 17869)
@@ -19,7 +19,7 @@
o r17137: send END cell in response to connect to nonexistent hidserv port.
- r17138: reject *:* servers should never do DNS lookups.
o r17139: Fix another case of overriding .exit choices.
- - r17162 and r17164: fix another case of not checking cpath_layer.
+ o r17162 and r17164: fix another case of not checking cpath_layer.
- r17208,r17209,r7211,r17212,r17214: Avoid gotterdammerung when an
authority has an expired certificate.
- r17562: Fix bug 874, wherein a sighup would make us kill all our intro
Modified: tor/branches/tor-0_2_0-patches/src/or/or.h
===================================================================
--- tor/branches/tor-0_2_0-patches/src/or/or.h 2009-01-04 03:03:40 UTC (rev 17868)
+++ tor/branches/tor-0_2_0-patches/src/or/or.h 2009-01-04 03:03:45 UTC (rev 17869)
@@ -3688,8 +3688,8 @@
int rend_cmp_service_ids(const char *one, const char *two);
-void rend_process_relay_cell(circuit_t *circ, int command, size_t length,
- const char *payload);
+void rend_process_relay_cell(circuit_t *circ, const crypt_path_t *layer_hint,
+ int command, size_t length, const char *payload);
void rend_service_descriptor_free(rend_service_descriptor_t *desc);
int rend_encode_service_descriptor(rend_service_descriptor_t *desc,
Modified: tor/branches/tor-0_2_0-patches/src/or/relay.c
===================================================================
--- tor/branches/tor-0_2_0-patches/src/or/relay.c 2009-01-04 03:03:40 UTC (rev 17868)
+++ tor/branches/tor-0_2_0-patches/src/or/relay.c 2009-01-04 03:03:45 UTC (rev 17869)
@@ -1253,7 +1253,8 @@
case RELAY_COMMAND_RENDEZVOUS2:
case RELAY_COMMAND_INTRO_ESTABLISHED:
case RELAY_COMMAND_RENDEZVOUS_ESTABLISHED:
- rend_process_relay_cell(circ, rh.command, rh.length,
+ rend_process_relay_cell(circ, layer_hint,
+ rh.command, rh.length,
cell->payload+RELAY_HEADER_SIZE);
return 0;
}
Modified: tor/branches/tor-0_2_0-patches/src/or/rendcommon.c
===================================================================
--- tor/branches/tor-0_2_0-patches/src/or/rendcommon.c 2009-01-04 03:03:40 UTC (rev 17868)
+++ tor/branches/tor-0_2_0-patches/src/or/rendcommon.c 2009-01-04 03:03:45 UTC (rev 17869)
@@ -1180,16 +1180,24 @@
/** Called when we get a rendezvous-related relay cell on circuit
* <b>circ</b>. Dispatch on rendezvous relay command. */
void
-rend_process_relay_cell(circuit_t *circ, int command, size_t length,
+rend_process_relay_cell(circuit_t *circ, const crypt_path_t *layer_hint,
+ int command, size_t length,
const char *payload)
{
or_circuit_t *or_circ = NULL;
origin_circuit_t *origin_circ = NULL;
int r = -2;
- if (CIRCUIT_IS_ORIGIN(circ))
+ if (CIRCUIT_IS_ORIGIN(circ)) {
origin_circ = TO_ORIGIN_CIRCUIT(circ);
- else
+ if (!layer_hint || layer_hint != origin_circ->cpath->prev) {
+ log_fn(LOG_PROTOCOL_WARN, LD_APP,
+ "Relay cell (rend purpose %d) from wrong hop on origin circ",
+ command);
+ origin_circ = NULL;
+ }
+ } else {
or_circ = TO_OR_CIRCUIT(circ);
+ }
switch (command) {
case RELAY_COMMAND_ESTABLISH_INTRO: