[tor-bugs] #20307 [Core Tor/Tor]: [warn] Remote server sent bogus reason code 65021

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Dec 22 17:42:36 UTC 2016 

#20307: [warn] Remote server sent bogus reason code 65021
-------------------------------------------------+-------------------------
 Reporter:  arma                                 |          Owner:
     Type:  defect                               |         Status:  new
 Priority:  Very High                            |      Milestone:  Tor:
                                                 |  0.3.0.x-final
Component:  Core Tor/Tor                         |        Version:  Tor:
                                                 |  0.2.8.1-alpha
 Severity:  Normal                               |     Resolution:
 Keywords:  circuit, 029-backport, nickm-        |  Actual Points:
  deferred-20161017, triage-out-030-201612       |
Parent ID:                                       |         Points:  2
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------
Changes (by dgoulet):

 * keywords:  circuit, 029-proposed, nickm-deferred-20161017, triage-
     out-030-201612 => circuit, 029-backport, nickm-deferred-20161017,
     triage-out-030-201612
 * priority:  Medium => Very High
 * version:  Tor: 0.2.9.3-alpha => Tor: 0.2.8.1-alpha
 * milestone:  Tor: 0.3.1.x-final => Tor: 0.3.0.x-final


Comment:

 Here is the problem which also fixes in part #21056 as introduction point
 are being flagged wrongfully because of this bug.

 In `circuit_mark_for_close_()`, we take the `int reason` and then assigned
 it to:

 {{{
   circ->marked_for_close_reason = reason;
   circ->marked_for_close_orig_reason = orig_reason;
 }}}

 Both of the above are `uint16_t` which is bad because the reason value is
 a `int`. Furthermore, we have internal reasons that are negative value
 such as `#define END_CIRC_REASON_IP_NOW_REDUNDANT -4` used to indicate the
 circuit subsystem to NOT report the intro point as a failed connection
 attempt ultimately putting the intro point in the failure cache. But with
 the `uint16_t` conversion, the reason became `65532` instead of `-4` which
 ultimately invalidates 2/3 of the intro points of a descriptor on the
 client side. BAD!

 This issue has been introduced in `8b4e5b7ee` released in
 tor-0.2.8.1-alpha.

 I'm also flagging this for an 029 backport even though this is not a
 security issue, it has quite bad consequences for HS reachability.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/20307#comment:9>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list