[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #31107 [Core Tor/Tor]: channel: channel_tls_handle_cell() CELL_VERSIONS code reached
#31107: channel: channel_tls_handle_cell() CELL_VERSIONS code reached
-------------------------------------------------+-------------------------
Reporter: dgoulet | Owner: nickm
Type: defect | Status:
| accepted
Priority: High | Milestone: Tor:
| 0.4.2.x-final
Component: Core Tor/Tor | Version:
Severity: Normal | Resolution:
Keywords: tor-relay, tor-channel 042-must | Actual Points:
029-backport? 035-backport 040-backport |
041-backport BugSmashFund |
Parent ID: | Points:
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Changes (by nickm):
* keywords: tor-relay, tor-channel security 042-must =>
tor-relay, tor-channel 042-must 029-backport? 035-backport
040-backport 041-backport BugSmashFund
* priority: Very High => High
Comment:
Okay, this is a bug, and an old one. It looks like our logic in
connection_or_process_cells_from_inbuf() is wrong in the way that it
handles variable-length cells.
Basically, what it is doing right now it this:
{{{
try to fetch var_cell_t from buffer.
if (we got a var_cell_t) {
give it to the channel layer.
return
}
see whether we have more than 512/514 bytes on the buffer
if (we do) {
package it as a cell_t
give it to the channel layer
return;
}
wait for more data
}}}
See the problem? If we have a pending incomplete variable-length cell of
more than 512/514 bytes, it will get mis-packaged as a regular fixed-
length cell.
What fun!
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/31107#comment:8>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs