[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[tor-bugs] #16410 [Tor]: No maximum length for variable-length cells.
#16410: No maximum length for variable-length cells.
--------------------+---------------------
Reporter: nsk | Owner:
Type: defect | Status: new
Priority: normal | Milestone:
Component: Tor | Version:
Keywords: | Actual Points:
Parent ID: | Points:
--------------------+---------------------
There does not seem to be any maximum length used when pulling variable-
length cells from a connection buffer. The relevant code in
`fetch_var_cell_from_buf()` in `buffers.c`:
{{{
length = ntohs(get_uint16(hdr + circ_id_len + 1));
if (buf->datalen < (size_t)(header_len+length))
return 1;
result = var_cell_new(length);
result->command = command;
if (wide_circ_ids)
result->circ_id = ntohl(get_uint32(hdr));
else
result->circ_id = ntohs(get_uint16(hdr));
buf_remove_from_front(buf, header_len);
peek_from_buf((char*) result->payload, length, buf);
buf_remove_from_front(buf, length);
}}}
I don't see anywhere in tor-spec where a variable-length max length is
defined, but it seems like there should be some sort of explicit length
cap (e.g. a malicious client/relay wanting to be annoying could force
constant 64KB allocations).
I brought this up in irc, and it was mentioned a variable-length length
cap would have to be sufficiently large and future proof, and I'm not sure
what that value that would be.
It's not clear to me whether or not its intentional to allow 64KB
variable-length cells.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/16410>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs