[tor-bugs] #30466 [Core Tor/Tor]: hs: Do not allow more than one control cell on a circuit
Tor Bug Tracker & Wiki
blackhole at torproject.org
Fri May 10 13:09:52 UTC 2019
#30466: hs: Do not allow more than one control cell on a circuit
-------------------------------+----------------------------------------
Reporter: dgoulet | Owner: (none)
Type: defect | Status: new
Priority: Medium | Milestone: Tor: unspecified
Component: Core Tor/Tor | Version:
Severity: Normal | Keywords: tor-dos, tor-hs, tor-relay
Actual Points: | Parent ID: #29999
Points: 0.1 | Reviewer:
Sponsor: Sponsor27-can |
-------------------------------+----------------------------------------
This is the list of HS control cell that is they are all for establishing
a circuit or/and "connection" between HS entities (IP, RP, Service,
client):
{{{
RELAY_COMMAND_ESTABLISH_INTRO:
RELAY_COMMAND_ESTABLISH_RENDEZVOUS:
RELAY_COMMAND_INTRODUCE1:
RELAY_COMMAND_INTRODUCE2:
RELAY_COMMAND_INTRODUCE_ACK:
RELAY_COMMAND_INTRO_ESTABLISHED:
RELAY_COMMAND_RENDEZVOUS1:
RELAY_COMMAND_RENDEZVOUS2:
RELAY_COMMAND_RENDEZVOUS_ESTABLISHED:
}}}
It appears that anyone can send an arbitrary amount of those cells on the
same circuit. Even to the point that tor allows a rendezvous circuit to
become an intro circuit.
The only special one is `INTRODUCE2` which is by-design are sent a lot on
the same circuit.
The only cell currently limited to 1 cell is `INTRODUCE1` since we do not
allow multiple introductions on the same client circuit for DoS reasons.
But the rest should only be seen *once* on a circuit. Lets restrict them
and if we see more, then we close the circuit due to a protocol error.
This would limit side-channels.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/30466>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list