[tor-bugs] #11092 [Obfsproxy]: scramblesuit should make sure that handshake padding is less than MAX_PADDING_LENGTH
Tor Bug Tracker & Wiki
blackhole at torproject.org
Mon Mar 3 23:10:10 UTC 2014
#11092: scramblesuit should make sure that handshake padding is less than
MAX_PADDING_LENGTH
---------------------------+-----------------------------
Reporter: asn | Owner: asn
Type: defect | Status: needs_review
Priority: normal | Milestone:
Component: Obfsproxy | Version:
Resolution: | Keywords: pt-scramblesuit
Actual Points: | Parent ID:
Points: |
---------------------------+-----------------------------
Comment (by phw):
Replying to [comment:4 yawning]:
> In util.locateMark(mark) change "index = payload.find(mark)" to be
bounded like :
> {{{
> index = payload.find(mark, 0, const.MAX_PADDING_LENGTH +
> const.MARK_LENGTH)
> }}}
Done.
> Without the change, it is still possible to accept out-of-spec packets.
>
> The current code no longer buffers data forever, but it still continues
to process the handshake till the threshold is reached. In
ScrambleSuitTransport.receivedDownstream consider doing something like:
> {{{
> ...
> }}}
>
> Add const.MAX_HANDSHAKE_LENGTH, const.ST_WAIT_FOR_AUTH,
self.rxHandshakeLength as appropriate (NB: Dry code. May have errors, but
I hope the idea is clear.). This avoids doing any data processing after
it has been clear that the handshake will never succeed and jettisons the
invalid data immediately.
Done.
I committed the changes on top of my `bug_11092` branch. I also increased
the closing threshold to the (somewhat arbitrary) value
`MAX_HANDSHAKE_LENGTH * 5`. I guess that's not a problem since we no
longer process data after authentication has failed.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/11092#comment:5>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list