commit ccaeef22e168af34e9b6a63d65ce17e58dd702e2 Author: Mike Perry mikeperry-git@fscked.org Date: Tue Dec 11 17:49:12 2012 -0800
Tags on relay cells can result in certain reason codes.
Close the circuit (it's probably junk anyways), and make sure we don't probe it/count it as a success. --- src/or/circuitbuild.c | 2 ++ src/or/or.h | 8 +++++++- src/or/relay.c | 24 +++++++++++++++++------- 3 files changed, 26 insertions(+), 8 deletions(-)
diff --git a/src/or/circuitbuild.c b/src/or/circuitbuild.c index 3e2568c..f93b04f 100644 --- a/src/or/circuitbuild.c +++ b/src/or/circuitbuild.c @@ -1140,6 +1140,8 @@ pathbias_state_to_string(path_state_t state) return "build succeeded"; case PATH_STATE_USE_SUCCEEDED: return "use succeeded"; + case PATH_STATE_USE_FAILED: + return "use failed"; }
return "unknown"; diff --git a/src/or/or.h b/src/or/or.h index aaf817d..ccc20b9 100644 --- a/src/or/or.h +++ b/src/or/or.h @@ -2779,6 +2779,12 @@ typedef enum { * just tag at a later point. */ PATH_STATE_USE_SUCCEEDED = 3, + + /** + * This is a special state to indicate that we got a corrupted + * relay cell on a circuit and we don't intend to probe it. + */ + PATH_STATE_USE_FAILED = 4, } path_state_t;
/** An origin_circuit_t holds data necessary to build and use a circuit. @@ -2816,7 +2822,7 @@ typedef struct origin_circuit_t {
/** Kludge to help us prevent the warn in bug #6475 and eventually * debug why we are not seeing first hops in some cases. */ - path_state_t path_state : 2; + path_state_t path_state : 3;
/** Set iff this is a hidden-service circuit which has timed out * according to our current circuit-build timeout, but which has diff --git a/src/or/relay.c b/src/or/relay.c index fd8f857..b4b7700 100644 --- a/src/or/relay.c +++ b/src/or/relay.c @@ -694,13 +694,23 @@ connection_ap_process_end_not_open( (void) layer_hint; /* unused */
if (rh->length > 0) { - /* Path bias: If we get a valid reason code from the exit, - * it wasn't due to tagging */ - // XXX: This relies on recognized+digest being strong enough not - // to be spoofable.. Is that a valid assumption? - // Or more accurately: is it better than nothing? Can the attack - // be done offline? - circ->path_state = PATH_STATE_USE_SUCCEEDED; + if (reason == END_STREAM_REASON_TORPROTOCOL || + reason == END_STREAM_REASON_INTERNAL || + reason == END_STREAM_REASON_DESTROY) { + /* All three of these reasons could mean a failed tag + * hit the exit and it shat itself. Do not probe. + * Fail the circuit. */ + circ->path_state = PATH_STATE_USE_FAILED; + return -END_CIRC_REASON_TORPROTOCOL; + } else { + /* Path bias: If we get a valid reason code from the exit, + * it wasn't due to tagging */ + // XXX: This relies on recognized+digest being strong enough not + // to be spoofable.. Is that a valid assumption? + // Or more accurately: is it better than nothing? Can the attack + // be done offline? + circ->path_state = PATH_STATE_USE_SUCCEEDED; + } }
if (rh->length > 0 && edge_reason_is_retriable(reason) &&