Merge branch 'maint-0.2.3'

6061cd58 · Roger Dingledine · ed2601f2 · c32ec9c4 · 6061cd58 · 6061cd58
Commit 6061cd58 authored 12 years ago by Roger Dingledine
--- a/changes/bug6252
+++ b/changes/bug6252
+  o Security fixes:
+    - Tear down the circuit if we get an unexpected SENDME cell. Clients
+      could use this trick to make their circuits receive cells faster
+      than our flow control would have allowed, or to gum up the network,
+      or possibly to do targeted memory denial-of-service attacks on
+      entry nodes. Fixes bug 6252. Bugfix on the 54th commit on Tor --
+      from July 2002, before the release of Tor 0.0.0.
+
--- a/src/or/relay.c
+++ b/src/or/relay.c
@@ -1265,11 +1265,25 @@ connection_edge_process_relay_cell(cell_t *cell, circuit_t *circ,
    case RELAY_COMMAND_SENDME:
      if (!conn) {
        if (layer_hint) {
+          if (layer_hint->package_window + CIRCWINDOW_INCREMENT >
+                CIRCWINDOW_START_MAX) {
+            log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
+                   "Bug/attack: unexpected sendme cell from exit relay. "
+                   "Closing circ.");
+            return -END_CIRC_REASON_TORPROTOCOL;
+          }
          layer_hint->package_window += CIRCWINDOW_INCREMENT;
          log_debug(LD_APP,"circ-level sendme at origin, packagewindow %d.",
                    layer_hint->package_window);
          circuit_resume_edge_reading(circ, layer_hint);
        } else {
+          if (circ->package_window + CIRCWINDOW_INCREMENT >
+                CIRCWINDOW_START_MAX) {
+            log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
+                   "Bug/attack: unexpected sendme cell from client. "
+                   "Closing circ.");
+            return -END_CIRC_REASON_TORPROTOCOL;
+          }
          circ->package_window += CIRCWINDOW_INCREMENT;
          log_debug(LD_APP,
                    "circ-level sendme at non-origin, packagewindow %d.",