Loading changes/bug6007 0 → 100644 +5 −0 Original line number Diff line number Diff line o Major bugfixes (security): - When waiting for a client to renegotiate, don't allow it to add any bytes to the input buffer. This fixes a DoS issue. Fix for bugs 6007 and 5934; bugfix on 0.2.0.20-rc. src/or/connection_or.c +20 −2 Original line number Diff line number Diff line Loading @@ -209,7 +209,12 @@ connection_or_reached_eof(or_connection_t *conn) int connection_or_process_inbuf(or_connection_t *conn) { int ret; /** Don't let the inbuf of a nonopen OR connection grow beyond this many * bytes: it's either a broken client, a non-Tor client, or a DOS * attempt. */ #define MAX_OR_INBUF_WHEN_NONOPEN 0 int ret = 0; tor_assert(conn); switch (conn->_base.state) { Loading @@ -231,8 +236,21 @@ connection_or_process_inbuf(or_connection_t *conn) case OR_CONN_STATE_OR_HANDSHAKING: return connection_or_process_cells_from_inbuf(conn); default: return 0; /* don't do anything */ break; /* don't do anything */ } if (buf_datalen(conn->_base.inbuf) > MAX_OR_INBUF_WHEN_NONOPEN) { log_fn(LOG_PROTOCOL_WARN, LD_NET, "Accumulated too much data (%d bytes) " "on nonopen OR connection %s %s:%u in state %s; closing.", (int)buf_datalen(conn->_base.inbuf), connection_or_nonopen_was_started_here(conn) ? "to" : "from", conn->_base.address, conn->_base.port, conn_state_to_string(conn->_base.type, conn->_base.state)); connection_mark_for_close(TO_CONN(conn)); ret = -1; } return ret; } /** When adding cells to an OR connection's outbuf, keep adding until the Loading Loading
changes/bug6007 0 → 100644 +5 −0 Original line number Diff line number Diff line o Major bugfixes (security): - When waiting for a client to renegotiate, don't allow it to add any bytes to the input buffer. This fixes a DoS issue. Fix for bugs 6007 and 5934; bugfix on 0.2.0.20-rc.
src/or/connection_or.c +20 −2 Original line number Diff line number Diff line Loading @@ -209,7 +209,12 @@ connection_or_reached_eof(or_connection_t *conn) int connection_or_process_inbuf(or_connection_t *conn) { int ret; /** Don't let the inbuf of a nonopen OR connection grow beyond this many * bytes: it's either a broken client, a non-Tor client, or a DOS * attempt. */ #define MAX_OR_INBUF_WHEN_NONOPEN 0 int ret = 0; tor_assert(conn); switch (conn->_base.state) { Loading @@ -231,8 +236,21 @@ connection_or_process_inbuf(or_connection_t *conn) case OR_CONN_STATE_OR_HANDSHAKING: return connection_or_process_cells_from_inbuf(conn); default: return 0; /* don't do anything */ break; /* don't do anything */ } if (buf_datalen(conn->_base.inbuf) > MAX_OR_INBUF_WHEN_NONOPEN) { log_fn(LOG_PROTOCOL_WARN, LD_NET, "Accumulated too much data (%d bytes) " "on nonopen OR connection %s %s:%u in state %s; closing.", (int)buf_datalen(conn->_base.inbuf), connection_or_nonopen_was_started_here(conn) ? "to" : "from", conn->_base.address, conn->_base.port, conn_state_to_string(conn->_base.type, conn->_base.state)); connection_mark_for_close(TO_CONN(conn)); ret = -1; } return ret; } /** When adding cells to an OR connection's outbuf, keep adding until the Loading
