Detect bug 6252 (unexpected sendme cell) (c32ec9c4) · Commits · David Goulet / Tor

changes/bug6252

0 → 100644

+8 −0

Original line number	Diff line number	Diff line
		o Security fixes:
		- Tear down the circuit if we get an unexpected SENDME cell. Clients
		could use this trick to make their circuits receive cells faster
		than our flow control would have allowed, or to gum up the network,
		or possibly to do targeted memory denial-of-service attacks on
		entry nodes. Fixes bug 6252. Bugfix on the 54th commit on Tor --
		from July 2002, before the release of Tor 0.0.0.

+14 −0

Original line number	Diff line number	Diff line
		@@ -1265,11 +1265,25 @@ connection_edge_process_relay_cell(cell_t cell, circuit_t circ,
		case RELAY_COMMAND_SENDME:
		if (!conn) {
		if (layer_hint) {
		if (layer_hint->package_window + CIRCWINDOW_INCREMENT >
		CIRCWINDOW_START_MAX) {
		log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
		"Bug/attack: unexpected sendme cell from exit relay. "
		"Closing circ.");
		return -END_CIRC_REASON_TORPROTOCOL;
		}
		layer_hint->package_window += CIRCWINDOW_INCREMENT;
		log_debug(LD_APP,"circ-level sendme at origin, packagewindow %d.",
		layer_hint->package_window);
		circuit_resume_edge_reading(circ, layer_hint);
		} else {
		if (circ->package_window + CIRCWINDOW_INCREMENT >
		CIRCWINDOW_START_MAX) {
		log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
		"Bug/attack: unexpected sendme cell from client. "
		"Closing circ.");
		return -END_CIRC_REASON_TORPROTOCOL;
		}
		circ->package_window += CIRCWINDOW_INCREMENT;
		log_debug(LD_APP,
		"circ-level sendme at non-origin, packagewindow %d.",