[tor-bugs] #16410 [Tor]: No maximum length for variable-length cells.

Tor Bug Tracker & Wiki blackhole at torproject.org
Sun Jun 21 01:16:05 UTC 2015


#16410: No maximum length for variable-length cells.
--------------------+---------------------
 Reporter:  nsk     |          Owner:
     Type:  defect  |         Status:  new
 Priority:  normal  |      Milestone:
Component:  Tor     |        Version:
 Keywords:          |  Actual Points:
Parent ID:          |         Points:
--------------------+---------------------
 There does not seem to be any maximum length used when pulling variable-
 length cells from a connection buffer. The relevant code in
 `fetch_var_cell_from_buf()` in `buffers.c`:

 {{{
 length = ntohs(get_uint16(hdr + circ_id_len + 1));
 if (buf->datalen < (size_t)(header_len+length))
   return 1;
 result = var_cell_new(length);
 result->command = command;
 if (wide_circ_ids)
   result->circ_id = ntohl(get_uint32(hdr));
 else
   result->circ_id = ntohs(get_uint16(hdr));

 buf_remove_from_front(buf, header_len);
 peek_from_buf((char*) result->payload, length, buf);
 buf_remove_from_front(buf, length);
 }}}

 I don't see anywhere in tor-spec where a variable-length max length is
 defined, but it seems like there should be some sort of explicit length
 cap (e.g. a malicious client/relay wanting to be annoying could force
 constant 64KB allocations).

 I brought this up in irc, and it was mentioned a variable-length length
 cap would have to be sufficiently large and future proof, and I'm not sure
 what that value that would be.

 It's not clear to me whether or not its intentional to allow 64KB
 variable-length cells.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/16410>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list