Loading changes/prop110 0 → 100644 +7 −0 Original line number Diff line number Diff line o Major features: - Now that Tor 0.2.0.x is completely deprecated, we can enable the final part of "Proposal 110: Avoiding infinite length circuits" by refusing all circuit-extend requests that do not appear in a "relay_early" cell. This change helps Tor to resist a class of denial-of-service attacks by limiting the maximum circuit length. src/or/relay.c +19 −0 Original line number Diff line number Diff line Loading @@ -1194,6 +1194,25 @@ connection_edge_process_relay_cell(cell_t *cell, circuit_t *circ, "'extend' cell received for non-zero stream. Dropping."); return 0; } if (cell->command != CELL_RELAY_EARLY) { #define EARLY_WARNING_INTERVAL 900 static ratelim_t early_warning_limit = RATELIM_INIT(EARLY_WARNING_INTERVAL); char *m; if (cell->command == CELL_RELAY) { if ((m = rate_limit_log(&early_warning_limit, approx_time()))) { /* XXXX make this a protocol_warn once we're happier with it*/ log_fn(LOG_WARN, domain, "EXTEND cell received, " "but not via RELAY_EARLY. Dropping.%s", m); tor_free(m); } } else { log_fn(LOG_WARN, domain, "EXTEND cell received, in a cell with type %d! Dropping.", cell->command); } return 0; } return circuit_extend(cell, circ); case RELAY_COMMAND_EXTENDED: if (!layer_hint) { Loading Loading
changes/prop110 0 → 100644 +7 −0 Original line number Diff line number Diff line o Major features: - Now that Tor 0.2.0.x is completely deprecated, we can enable the final part of "Proposal 110: Avoiding infinite length circuits" by refusing all circuit-extend requests that do not appear in a "relay_early" cell. This change helps Tor to resist a class of denial-of-service attacks by limiting the maximum circuit length.
src/or/relay.c +19 −0 Original line number Diff line number Diff line Loading @@ -1194,6 +1194,25 @@ connection_edge_process_relay_cell(cell_t *cell, circuit_t *circ, "'extend' cell received for non-zero stream. Dropping."); return 0; } if (cell->command != CELL_RELAY_EARLY) { #define EARLY_WARNING_INTERVAL 900 static ratelim_t early_warning_limit = RATELIM_INIT(EARLY_WARNING_INTERVAL); char *m; if (cell->command == CELL_RELAY) { if ((m = rate_limit_log(&early_warning_limit, approx_time()))) { /* XXXX make this a protocol_warn once we're happier with it*/ log_fn(LOG_WARN, domain, "EXTEND cell received, " "but not via RELAY_EARLY. Dropping.%s", m); tor_free(m); } } else { log_fn(LOG_WARN, domain, "EXTEND cell received, in a cell with type %d! Dropping.", cell->command); } return 0; } return circuit_extend(cell, circ); case RELAY_COMMAND_EXTENDED: if (!layer_hint) { Loading
