[tor-bugs] #26214 [Core Tor/Tor]: Check stream SENDME against max
Tor Bug Tracker & Wiki
blackhole at torproject.org
Sun May 27 05:12:09 UTC 2018
#26214: Check stream SENDME against max
------------------------------+--------------------------------
Reporter: mikeperry | Owner: mikeperry
Type: defect | Status: assigned
Priority: Medium | Milestone: Tor: 0.3.4.x-final
Component: Core Tor/Tor | Version:
Severity: Normal | Keywords:
Actual Points: | Parent ID:
Points: | Reviewer:
Sponsor: SponsorV-can |
------------------------------+--------------------------------
In connection_edge_process_relay_cell() under the RELAY_COMMAND_SENDME
handling, we check the circuit-level sendme against the window START_MAX,
but we do not check the stream level SENDME against any max
This means that an attacker can send as many stream-level sendme's on a
circuit as they like, inflating the stream window as large as they like.
This might be a serious OOM bug, but the circuit level SENDME check should
prevent that, I think.
Even so, it would be nice to fix this in 0.3.4, so that the vanguards
script's detection of invalid/dropped circuit data is more accurate.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/26214>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list