[tor-bugs] #7889 [Tor]: Relays should drop/destroy begin cells with streamid 0
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Jan 8 12:12:35 UTC 2013
#7889: Relays should drop/destroy begin cells with streamid 0
-----------------------+----------------------------------------------------
Reporter: arma | Owner:
Type: defect | Status: new
Priority: normal | Milestone: Tor: 0.2.4.x-final
Component: Tor | Version:
Keywords: tor-relay | Parent:
Points: | Actualpoints:
-----------------------+----------------------------------------------------
Properly behaving clients can't generate a begin cell with streamid 0:
{{{
if (test_stream_id == 0)
goto again;
}}}
but if such a begin cell does arrive at an exit, it will still launch the
stream. And since relay_lookup_conn() returns NULL if streamid is 0, so
there's no way to address another cell (e.g. a relay end cell) to this
stream. It opens but can never be closed.
This is an issue for RELAY_COMMAND_BEGIN, RELAY_COMMAND_BEGIN_DIR, and
RELAY_COMMAND_RESOLVE in particular. But we should solve it for all non-
control relay cells:
{{{
1 -- RELAY_BEGIN [forward]
2 -- RELAY_DATA [forward or backward]
3 -- RELAY_END [forward or backward]
4 -- RELAY_CONNECTED [backward]
11 -- RELAY_RESOLVE [forward]
12 -- RELAY_RESOLVED [backward]
13 -- RELAY_BEGIN_DIR [forward]
}}}
I think the resolution could be to kill the circuit for breaking protocol?
Bug reported by oftc_must_be_destroyed on oftc.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/7889>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list