Loading changes/issue-2011-10-19L +9 −0 Original line number Diff line number Diff line Loading @@ -10,3 +10,12 @@ upgrade. Fixes CVE-2011-2768. Bugfix on FIXME; found by frosty_un. - Don't use any OR connection on which we have received a CREATE_FAST cell to satisfy an EXTEND request. Previously, we would not consider whether a connection appears to be from a client or bridge when deciding whether to use that connection to satisfy an EXTEND request. Mitigates CVE-2011-2768, by preventing an attacker from determining whether an unpatched client is connected to a patched relay. Bugfix on FIXME; found by frosty_un. src/or/command.c +6 −0 Original line number Diff line number Diff line Loading @@ -285,7 +285,13 @@ command_process_create_cell(cell_t *cell, or_connection_t *conn) * a CPU worker. */ char keys[CPATH_KEY_MATERIAL_LEN]; char reply[DIGEST_LEN*2]; tor_assert(cell->command == CELL_CREATE_FAST); /* Make sure we never try to use the OR connection on which we * received this cell to satisfy an EXTEND request, */ conn->is_connection_with_client = 1; if (fast_server_handshake(cell->payload, (uint8_t*)reply, (uint8_t*)keys, sizeof(keys))<0) { log_warn(LD_OR,"Failed to generate key material. Closing."); Loading src/or/connection_or.c +5 −0 Original line number Diff line number Diff line Loading @@ -519,6 +519,11 @@ connection_or_get_for_extend(const char *digest, tor_assert(tor_memeq(conn->identity_digest, digest, DIGEST_LEN)); if (conn->_base.marked_for_close) continue; /* Never return a connection on which the other end appears to be * a client. */ if (conn->is_connection_with_client) { continue; } /* Never return a non-open connection. */ if (conn->_base.state != OR_CONN_STATE_OPEN) { /* If the address matches, don't launch a new connection for this Loading src/or/or.h +4 −0 Original line number Diff line number Diff line Loading @@ -1031,6 +1031,10 @@ typedef struct or_connection_t { * because the connection is too old, or because there's a better one, etc. */ unsigned int is_bad_for_new_circs:1; /** True iff we have decided that the other end of this connection * is a client. Connections with this flag set should never be used * to satisfy an EXTEND request. */ unsigned int is_connection_with_client:1; uint8_t link_proto; /**< What protocol version are we using? 0 for * "none negotiated yet." */ circid_t next_circ_id; /**< Which circ_id do we try to use next on Loading Loading
changes/issue-2011-10-19L +9 −0 Original line number Diff line number Diff line Loading @@ -10,3 +10,12 @@ upgrade. Fixes CVE-2011-2768. Bugfix on FIXME; found by frosty_un. - Don't use any OR connection on which we have received a CREATE_FAST cell to satisfy an EXTEND request. Previously, we would not consider whether a connection appears to be from a client or bridge when deciding whether to use that connection to satisfy an EXTEND request. Mitigates CVE-2011-2768, by preventing an attacker from determining whether an unpatched client is connected to a patched relay. Bugfix on FIXME; found by frosty_un.
src/or/command.c +6 −0 Original line number Diff line number Diff line Loading @@ -285,7 +285,13 @@ command_process_create_cell(cell_t *cell, or_connection_t *conn) * a CPU worker. */ char keys[CPATH_KEY_MATERIAL_LEN]; char reply[DIGEST_LEN*2]; tor_assert(cell->command == CELL_CREATE_FAST); /* Make sure we never try to use the OR connection on which we * received this cell to satisfy an EXTEND request, */ conn->is_connection_with_client = 1; if (fast_server_handshake(cell->payload, (uint8_t*)reply, (uint8_t*)keys, sizeof(keys))<0) { log_warn(LD_OR,"Failed to generate key material. Closing."); Loading
src/or/connection_or.c +5 −0 Original line number Diff line number Diff line Loading @@ -519,6 +519,11 @@ connection_or_get_for_extend(const char *digest, tor_assert(tor_memeq(conn->identity_digest, digest, DIGEST_LEN)); if (conn->_base.marked_for_close) continue; /* Never return a connection on which the other end appears to be * a client. */ if (conn->is_connection_with_client) { continue; } /* Never return a non-open connection. */ if (conn->_base.state != OR_CONN_STATE_OPEN) { /* If the address matches, don't launch a new connection for this Loading
src/or/or.h +4 −0 Original line number Diff line number Diff line Loading @@ -1031,6 +1031,10 @@ typedef struct or_connection_t { * because the connection is too old, or because there's a better one, etc. */ unsigned int is_bad_for_new_circs:1; /** True iff we have decided that the other end of this connection * is a client. Connections with this flag set should never be used * to satisfy an EXTEND request. */ unsigned int is_connection_with_client:1; uint8_t link_proto; /**< What protocol version are we using? 0 for * "none negotiated yet." */ circid_t next_circ_id; /**< Which circ_id do we try to use next on Loading
