commit dc397f9a61e2e2caeea1acd46beab0e7205eaa9f Author: Mike Perry mikeperry-git@torproject.org Date: Sun May 27 01:42:35 2018 +0000
Bug 26214: Check stream SENDME against max. --- src/or/or.h | 1 + src/or/relay.c | 24 ++++++++++++++++++++++-- 2 files changed, 23 insertions(+), 2 deletions(-)
diff --git a/src/or/or.h b/src/or/or.h index e106ec66f..db8f9544f 100644 --- a/src/or/or.h +++ b/src/or/or.h @@ -929,6 +929,7 @@ typedef enum { /** Initial value on both sides of a stream transmission window when the * stream is initialized. Measured in cells. */ #define STREAMWINDOW_START 500 +#define STREAMWINDOW_START_MAX 500 /** Amount to increment a stream window when we get a stream SENDME. */ #define STREAMWINDOW_INCREMENT 50
diff --git a/src/or/relay.c b/src/or/relay.c index 50f59d6b9..3632678af 100644 --- a/src/or/relay.c +++ b/src/or/relay.c @@ -1752,8 +1752,7 @@ connection_edge_process_relay_cell(cell_t *cell, circuit_t *circ, circuit_resume_edge_reading(circ, layer_hint);
/* We count circuit-level sendme's as valid delivered data because - * they are rate limited. Note that we cannot count stream - * sendme's because the other end could send as many as they like. + * they are rate limited. */ if (CIRCUIT_IS_ORIGIN(circ)) { circuit_read_valid_data(TO_ORIGIN_CIRCUIT(circ), @@ -1783,6 +1782,27 @@ connection_edge_process_relay_cell(cell_t *cell, circuit_t *circ, rh.stream_id); return 0; } + + /* Don't allow the other endpoint to request more than our maximim + * (ie initial) stream SENDME window worth of data. Well-behaved + * stock clients will not request more than this max (as per the check + * in the while loop of connection_edge_consider_sending_sendme()). + */ + if (conn->package_window + STREAMWINDOW_INCREMENT > + STREAMWINDOW_START_MAX) { + static struct ratelim_t stream_warn_ratelim = RATELIM_INIT(600); + log_fn_ratelim(&stream_warn_ratelim,LOG_PROTOCOL_WARN, LD_PROTOCOL, + "Unexpected stream sendme cell. Closing circ (window %d).", + conn->package_window); + return -END_CIRC_REASON_TORPROTOCOL; + } + + /* At this point, the stream sendme is valid */ + if (CIRCUIT_IS_ORIGIN(circ)) { + circuit_read_valid_data(TO_ORIGIN_CIRCUIT(circ), + rh.length); + } + conn->package_window += STREAMWINDOW_INCREMENT; log_debug(domain,"stream-level sendme, packagewindow now %d.", conn->package_window);