[tor-commits] [tor/master] Reject create/begin/etc cells with {circ, stream}ID 0.

nickm at torproject.org nickm at torproject.org
Tue Jan 15 21:30:33 UTC 2013


commit 4ccf09b1c21a858540453287e58a478a80a598ae
Author: Nick Mathewson <nickm at torproject.org>
Date:   Mon Jan 14 14:02:13 2013 -0500

    Reject create/begin/etc cells with {circ,stream}ID 0.
    
    Otherwise, it's possible to create streams or circuits with these
    bogus IDs, leading to orphaned circuits or streams, or to ones that
    can cause bandwidth DOS problems.
    
    Fixes bug 7889; bugfix on all released Tors.
---
 changes/bug7889  |    8 ++++++++
 src/or/command.c |    8 ++++++++
 src/or/relay.c   |   17 +++++++++++++++++
 3 files changed, 33 insertions(+), 0 deletions(-)

diff --git a/changes/bug7889 b/changes/bug7889
new file mode 100644
index 0000000..ce99a59
--- /dev/null
+++ b/changes/bug7889
@@ -0,0 +1,8 @@
+  o Major bugfixes:
+    - Reject bogus create and relay cells with 0 circuit ID or 0 stream
+      ID: these could be used to create unexpected streams and circuits
+      which would count as "present" to some parts of Tor but "absent"
+      to others, leading to zombie circuits and streams or to a
+      bandwidth DOS. Fixes bug 7889; bugfix on every released version of
+      Tor. Reported by "oftc_must_be_destroyed".
+
diff --git a/src/or/command.c b/src/or/command.c
index d935b5b..8321e26 100644
--- a/src/or/command.c
+++ b/src/or/command.c
@@ -382,6 +382,14 @@ command_process_create_cell(cell_t *cell, or_connection_t *conn)
     return;
   }
 
+  if (cell->circ_id == 0) {
+    log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
+           "Received a create cell (type %d) from %s:%d with zero circID; "
+           " ignoring.", (int)cell->command, conn->_base.address,
+           conn->_base.port);
+    return;
+  }
+
   /* If the high bit of the circuit ID is not as expected, close the
    * circ. */
   id_is_high = cell->circ_id & (1<<15);
diff --git a/src/or/relay.c b/src/or/relay.c
index 5f7fcd8..a17c333 100644
--- a/src/or/relay.c
+++ b/src/or/relay.c
@@ -1046,6 +1046,23 @@ connection_edge_process_relay_cell(cell_t *cell, circuit_t *circ,
     return - END_CIRC_REASON_TORPROTOCOL;
   }
 
+  if (rh.stream_id == 0) {
+    switch (rh.command) {
+      case RELAY_COMMAND_BEGIN:
+      case RELAY_COMMAND_CONNECTED:
+      case RELAY_COMMAND_DATA:
+      case RELAY_COMMAND_END:
+      case RELAY_COMMAND_RESOLVE:
+      case RELAY_COMMAND_RESOLVED:
+      case RELAY_COMMAND_BEGIN_DIR:
+        log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL, "Relay command %d with zero "
+               "stream_id. Dropping.", (int)rh.command);
+        return 0;
+      default:
+        ;
+    }
+  }
+
   /* either conn is NULL, in which case we've got a control cell, or else
    * conn points to the recognized stream. */
 





More information about the tor-commits mailing list