Loading changes/ticket33491 0 → 100644 +6 −0 Original line number Diff line number Diff line o Major bugfixes (DoS defenses, bridges, pluggable transport): - DoS subsystem was not given the transport name of the client connection when tor is a bridge and thus failing to find the GeoIP cache entry for that client address. This resulted in failing to apply DoS defenses on bridges with a pluggable transport. Fixes bug 33491; bugfix on 0.3.3.2-alpha. src/core/or/channel.c +1 −1 Original line number Diff line number Diff line Loading @@ -1882,7 +1882,7 @@ channel_do_open_actions(channel_t *chan) tor_free(transport_name); /* Notify the DoS subsystem of a new client. */ if (tlschan && tlschan->conn) { dos_new_client_conn(tlschan->conn); dos_new_client_conn(tlschan->conn, transport_name); } } /* Otherwise the underlying transport can't tell us this, so skip it */ Loading src/core/or/dos.c +2 −2 Original line number Diff line number Diff line Loading @@ -671,7 +671,7 @@ dos_log_heartbeat(void) /* Called when a new client connection has been established on the given * address. */ void dos_new_client_conn(or_connection_t *or_conn) dos_new_client_conn(or_connection_t *or_conn, const char *transport_name) { clientmap_entry_t *entry; Loading @@ -692,7 +692,7 @@ dos_new_client_conn(or_connection_t *or_conn) } /* We are only interested in client connection from the geoip cache. */ entry = geoip_lookup_client(&or_conn->real_addr, NULL, entry = geoip_lookup_client(&or_conn->real_addr, transport_name, GEOIP_CLIENT_CONNECT); if (BUG(entry == NULL)) { /* Should never happen because we note down the address in the geoip Loading src/core/or/dos.h +2 −1 Original line number Diff line number Diff line Loading @@ -53,7 +53,8 @@ int dos_enabled(void); void dos_log_heartbeat(void); void dos_geoip_entry_about_to_free(const struct clientmap_entry_t *geoip_ent); void dos_new_client_conn(or_connection_t *or_conn); void dos_new_client_conn(or_connection_t *or_conn, const char *transport_name); void dos_close_client_conn(const or_connection_t *or_conn); int dos_should_refuse_single_hop_client(void); Loading src/test/test_dos.c +12 −12 Original line number Diff line number Diff line Loading @@ -79,7 +79,7 @@ test_dos_conn_creation(void *arg) { /* Register many conns from this client but not enough to get it blocked */ unsigned int i; for (i = 0; i < max_concurrent_conns; i++) { dos_new_client_conn(&or_conn); dos_new_client_conn(&or_conn, NULL); } } Loading @@ -88,7 +88,7 @@ test_dos_conn_creation(void *arg) dos_conn_addr_get_defense_type(addr)); /* Register another conn and check that new conns are not allowed anymore */ dos_new_client_conn(&or_conn); dos_new_client_conn(&or_conn, NULL); tt_int_op(DOS_CONN_DEFENSE_CLOSE, OP_EQ, dos_conn_addr_get_defense_type(addr)); Loading @@ -98,7 +98,7 @@ test_dos_conn_creation(void *arg) dos_conn_addr_get_defense_type(addr)); /* Register another conn and see that defense measures get reactivated */ dos_new_client_conn(&or_conn); dos_new_client_conn(&or_conn, NULL); tt_int_op(DOS_CONN_DEFENSE_CLOSE, OP_EQ, dos_conn_addr_get_defense_type(addr)); Loading Loading @@ -153,7 +153,7 @@ test_dos_circuit_creation(void *arg) * circuit counting subsystem */ geoip_note_client_seen(GEOIP_CLIENT_CONNECT, addr, NULL, now); for (i = 0; i < min_conc_conns_for_cc ; i++) { dos_new_client_conn(&or_conn); dos_new_client_conn(&or_conn, NULL); } /* Register new circuits for this client and conn, but not enough to get Loading Loading @@ -217,7 +217,7 @@ test_dos_bucket_refill(void *arg) /* Register this client */ geoip_note_client_seen(GEOIP_CLIENT_CONNECT, addr, NULL, now); dos_new_client_conn(&or_conn); dos_new_client_conn(&or_conn, NULL); /* Fetch this client from the geoip cache and get its DoS structs */ clientmap_entry_t *entry = geoip_lookup_client(addr, NULL, Loading Loading @@ -460,11 +460,11 @@ test_known_relay(void *arg) geoip_note_client_seen(GEOIP_CLIENT_CONNECT, &or_conn.real_addr, NULL, 0); /* Suppose we have 5 connections in rapid succession, the counter should * always be 0 because we should ignore this. */ dos_new_client_conn(&or_conn); dos_new_client_conn(&or_conn); dos_new_client_conn(&or_conn); dos_new_client_conn(&or_conn); dos_new_client_conn(&or_conn); dos_new_client_conn(&or_conn, NULL); dos_new_client_conn(&or_conn, NULL); dos_new_client_conn(&or_conn, NULL); dos_new_client_conn(&or_conn, NULL); dos_new_client_conn(&or_conn, NULL); entry = geoip_lookup_client(&or_conn.real_addr, NULL, GEOIP_CLIENT_CONNECT); tt_assert(entry); /* We should have a count of 0. */ Loading @@ -474,8 +474,8 @@ test_known_relay(void *arg) * connection and see if we do get it. */ tor_addr_parse(&or_conn.real_addr, "42.42.42.43"); geoip_note_client_seen(GEOIP_CLIENT_CONNECT, &or_conn.real_addr, NULL, 0); dos_new_client_conn(&or_conn); dos_new_client_conn(&or_conn); dos_new_client_conn(&or_conn, NULL); dos_new_client_conn(&or_conn, NULL); entry = geoip_lookup_client(&or_conn.real_addr, NULL, GEOIP_CLIENT_CONNECT); tt_assert(entry); /* We should have a count of 2. */ Loading Loading
changes/ticket33491 0 → 100644 +6 −0 Original line number Diff line number Diff line o Major bugfixes (DoS defenses, bridges, pluggable transport): - DoS subsystem was not given the transport name of the client connection when tor is a bridge and thus failing to find the GeoIP cache entry for that client address. This resulted in failing to apply DoS defenses on bridges with a pluggable transport. Fixes bug 33491; bugfix on 0.3.3.2-alpha.
src/core/or/channel.c +1 −1 Original line number Diff line number Diff line Loading @@ -1882,7 +1882,7 @@ channel_do_open_actions(channel_t *chan) tor_free(transport_name); /* Notify the DoS subsystem of a new client. */ if (tlschan && tlschan->conn) { dos_new_client_conn(tlschan->conn); dos_new_client_conn(tlschan->conn, transport_name); } } /* Otherwise the underlying transport can't tell us this, so skip it */ Loading
src/core/or/dos.c +2 −2 Original line number Diff line number Diff line Loading @@ -671,7 +671,7 @@ dos_log_heartbeat(void) /* Called when a new client connection has been established on the given * address. */ void dos_new_client_conn(or_connection_t *or_conn) dos_new_client_conn(or_connection_t *or_conn, const char *transport_name) { clientmap_entry_t *entry; Loading @@ -692,7 +692,7 @@ dos_new_client_conn(or_connection_t *or_conn) } /* We are only interested in client connection from the geoip cache. */ entry = geoip_lookup_client(&or_conn->real_addr, NULL, entry = geoip_lookup_client(&or_conn->real_addr, transport_name, GEOIP_CLIENT_CONNECT); if (BUG(entry == NULL)) { /* Should never happen because we note down the address in the geoip Loading
src/core/or/dos.h +2 −1 Original line number Diff line number Diff line Loading @@ -53,7 +53,8 @@ int dos_enabled(void); void dos_log_heartbeat(void); void dos_geoip_entry_about_to_free(const struct clientmap_entry_t *geoip_ent); void dos_new_client_conn(or_connection_t *or_conn); void dos_new_client_conn(or_connection_t *or_conn, const char *transport_name); void dos_close_client_conn(const or_connection_t *or_conn); int dos_should_refuse_single_hop_client(void); Loading
src/test/test_dos.c +12 −12 Original line number Diff line number Diff line Loading @@ -79,7 +79,7 @@ test_dos_conn_creation(void *arg) { /* Register many conns from this client but not enough to get it blocked */ unsigned int i; for (i = 0; i < max_concurrent_conns; i++) { dos_new_client_conn(&or_conn); dos_new_client_conn(&or_conn, NULL); } } Loading @@ -88,7 +88,7 @@ test_dos_conn_creation(void *arg) dos_conn_addr_get_defense_type(addr)); /* Register another conn and check that new conns are not allowed anymore */ dos_new_client_conn(&or_conn); dos_new_client_conn(&or_conn, NULL); tt_int_op(DOS_CONN_DEFENSE_CLOSE, OP_EQ, dos_conn_addr_get_defense_type(addr)); Loading @@ -98,7 +98,7 @@ test_dos_conn_creation(void *arg) dos_conn_addr_get_defense_type(addr)); /* Register another conn and see that defense measures get reactivated */ dos_new_client_conn(&or_conn); dos_new_client_conn(&or_conn, NULL); tt_int_op(DOS_CONN_DEFENSE_CLOSE, OP_EQ, dos_conn_addr_get_defense_type(addr)); Loading Loading @@ -153,7 +153,7 @@ test_dos_circuit_creation(void *arg) * circuit counting subsystem */ geoip_note_client_seen(GEOIP_CLIENT_CONNECT, addr, NULL, now); for (i = 0; i < min_conc_conns_for_cc ; i++) { dos_new_client_conn(&or_conn); dos_new_client_conn(&or_conn, NULL); } /* Register new circuits for this client and conn, but not enough to get Loading Loading @@ -217,7 +217,7 @@ test_dos_bucket_refill(void *arg) /* Register this client */ geoip_note_client_seen(GEOIP_CLIENT_CONNECT, addr, NULL, now); dos_new_client_conn(&or_conn); dos_new_client_conn(&or_conn, NULL); /* Fetch this client from the geoip cache and get its DoS structs */ clientmap_entry_t *entry = geoip_lookup_client(addr, NULL, Loading Loading @@ -460,11 +460,11 @@ test_known_relay(void *arg) geoip_note_client_seen(GEOIP_CLIENT_CONNECT, &or_conn.real_addr, NULL, 0); /* Suppose we have 5 connections in rapid succession, the counter should * always be 0 because we should ignore this. */ dos_new_client_conn(&or_conn); dos_new_client_conn(&or_conn); dos_new_client_conn(&or_conn); dos_new_client_conn(&or_conn); dos_new_client_conn(&or_conn); dos_new_client_conn(&or_conn, NULL); dos_new_client_conn(&or_conn, NULL); dos_new_client_conn(&or_conn, NULL); dos_new_client_conn(&or_conn, NULL); dos_new_client_conn(&or_conn, NULL); entry = geoip_lookup_client(&or_conn.real_addr, NULL, GEOIP_CLIENT_CONNECT); tt_assert(entry); /* We should have a count of 0. */ Loading @@ -474,8 +474,8 @@ test_known_relay(void *arg) * connection and see if we do get it. */ tor_addr_parse(&or_conn.real_addr, "42.42.42.43"); geoip_note_client_seen(GEOIP_CLIENT_CONNECT, &or_conn.real_addr, NULL, 0); dos_new_client_conn(&or_conn); dos_new_client_conn(&or_conn); dos_new_client_conn(&or_conn, NULL); dos_new_client_conn(&or_conn, NULL); entry = geoip_lookup_client(&or_conn.real_addr, NULL, GEOIP_CLIENT_CONNECT); tt_assert(entry); /* We should have a count of 2. */ Loading
