Reject create/begin/etc cells with {circ,stream}ID 0. (4ccf09b1) · Commits · The Tor Project / Core / Tor

changes/bug7889

0 → 100644

+8 −0

Original line number	Diff line number	Diff line
		o Major bugfixes:
		- Reject bogus create and relay cells with 0 circuit ID or 0 stream
		ID: these could be used to create unexpected streams and circuits
		which would count as "present" to some parts of Tor but "absent"
		to others, leading to zombie circuits and streams or to a
		bandwidth DOS. Fixes bug 7889; bugfix on every released version of
		Tor. Reported by "oftc_must_be_destroyed".

+8 −0

Original line number	Diff line number	Diff line
		@@ -382,6 +382,14 @@ command_process_create_cell(cell_t cell, or_connection_t conn)
		return;
		}

		if (cell->circ_id == 0) {
		log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
		"Received a create cell (type %d) from %s:%d with zero circID; "
		" ignoring.", (int)cell->command, conn->_base.address,
		conn->_base.port);
		return;
		}

		/* If the high bit of the circuit ID is not as expected, close the
		* circ. */
		id_is_high = cell->circ_id & (1<<15);

+17 −0

Original line number	Diff line number	Diff line
		@@ -1046,6 +1046,23 @@ connection_edge_process_relay_cell(cell_t cell, circuit_t circ,
		return - END_CIRC_REASON_TORPROTOCOL;
		}

		if (rh.stream_id == 0) {
		switch (rh.command) {
		case RELAY_COMMAND_BEGIN:
		case RELAY_COMMAND_CONNECTED:
		case RELAY_COMMAND_DATA:
		case RELAY_COMMAND_END:
		case RELAY_COMMAND_RESOLVE:
		case RELAY_COMMAND_RESOLVED:
		case RELAY_COMMAND_BEGIN_DIR:
		log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL, "Relay command %d with zero "
		"stream_id. Dropping.", (int)rh.command);
		return 0;
		default:
		;
		}
		}

		/* either conn is NULL, in which case we've got a control cell, or else
		* conn points to the recognized stream. */