[tor-bugs] #30428 [Core Tor/Tor]: sendme: Failure to validate authenticated SENDMEs client side
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed May 22 15:38:47 UTC 2019
#30428: sendme: Failure to validate authenticated SENDMEs client side
-------------------------------------------------+-------------------------
Reporter: dgoulet | Owner: dgoulet
Type: defect | Status:
| needs_review
Priority: Very High | Milestone: Tor:
| 0.4.1.x-final
Component: Core Tor/Tor | Version:
Severity: Normal | Resolution:
Keywords: tor-circuit, sendme, 041-must, | Actual Points:
0411-alpha, postfreeze-ok |
Parent ID: #26288 | Points: 1
Reviewer: nickm | Sponsor:
| SponsorV
-------------------------------------------------+-------------------------
Comment (by dgoulet):
Ok! I've confirmed that we do always have a multiple of 509
(`CELL_PAYLOAD_SIZE`) and it is aligned on the window.
There is a edge case there where we record a cell digest of a non `DATA`
cell if the window is on the SENDME limit. It is not a big problem because
in that case, the window is not updated so the next DATA cell will
properly get recorded. However, it makes us sometimes record a digest that
we shouldn't. To fix that, we would need to pass down to the relay crypto
layer the cell relay command so we ONLY record for data cells.
Two commits were added here. First one is fixing a bug that I discovered
while stress testing with the chutney bidi where an Exit was not sending
v1 as expected so the other end kept accumulating cell digest on the
circuit. The commit takes care of removing the digest each time we get a
SENDME.
Second commit adds two non fatal assert for cases that should never happen
but in case they do, tor will scream loudly.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/30428#comment:15>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list