Commit ef6bc1a4 authored by Roger Dingledine's avatar Roger Dingledine
Browse files

Keep streamids from different exits on a circuit separate. This 

bug may have allowed other routers on a given circuit to inject
cells into streams. Reported by lodger; fixes bug 446. [Bugfix
on 0.1.2.x]


svn:r10818
parent 656b7761

ChangeLog

+6 −0
Original line number Diff line number Diff line
@@ -81,6 +81,12 @@ Changes in version 0.2.0.3-alpha - 2007-??-?? 
    - Fix a possible buffer overrun when using BSD natd support. Bug found

      by croup.



  o Security fixes (circuits):

    - Keep streamids from different exits on a circuit separate. This

      bug may have allowed other routers on a given circuit to inject

      cells into streams. Reported by lodger; fixes bug 446. [Bugfix

      on 0.1.2.x]





Changes in version 0.2.0.2-alpha - 2007-06-02

  o Major bugfixes on 0.2.0.1-alpha:

src/or/relay.c

+8 −4
Original line number Diff line number Diff line
@@ -18,7 +18,8 @@ const char relay_c_id[] = 
static int relay_crypt(circuit_t *circ, cell_t *cell, int cell_direction,

                crypt_path_t **layer_hint, char *recognized);

static edge_connection_t *relay_lookup_conn(circuit_t *circ, cell_t *cell,

                                       int cell_direction);

                                            int cell_direction,

                                            crypt_path_t *layer_hint);



static int

connection_edge_process_relay_cell(cell_t *cell, circuit_t *circ,
@@ -164,7 +165,8 @@ circuit_receive_relay_cell(cell_t *cell, circuit_t *circ, int cell_direction) 
  }



  if (recognized) {

    edge_connection_t *conn = relay_lookup_conn(circ, cell, cell_direction);

    edge_connection_t *conn = relay_lookup_conn(circ, cell, cell_direction,

                                                layer_hint);

    if (cell_direction == CELL_DIRECTION_OUT) {

      ++stats_n_relay_cells_delivered;

      log_debug(LD_OR,"Sending away from origin.");
@@ -380,7 +382,8 @@ circuit_package_relay_cell(cell_t *cell, circuit_t *circ, 
 * attached to circ, return that conn, else return NULL.

 */

static edge_connection_t *

relay_lookup_conn(circuit_t *circ, cell_t *cell, int cell_direction)

relay_lookup_conn(circuit_t *circ, cell_t *cell, int cell_direction,

                  crypt_path_t *layer_hint)

{

  edge_connection_t *tmpconn;

  relay_header_t rh;
@@ -398,7 +401,8 @@ relay_lookup_conn(circuit_t *circ, cell_t *cell, int cell_direction) 
    for (tmpconn = TO_ORIGIN_CIRCUIT(circ)->p_streams; tmpconn;

         tmpconn=tmpconn->next_stream) {

      if (rh.stream_id == tmpconn->stream_id &&

          !tmpconn->_base.marked_for_close) {

          !tmpconn->_base.marked_for_close &&

          tmpconn->cpath_layer == layer_hint) {

        log_debug(LD_APP,"found conn for stream %d.", rh.stream_id);

        return tmpconn;

      }

src/or/routerlist.c

+1 −1
Original line number Diff line number Diff line
@@ -1155,7 +1155,7 @@ router_get_advertised_bandwidth(routerinfo_t *router) 
 *

 * If <b>for_exit</b>, we're picking an exit node: consider all nodes'

 * bandwidth equally regardless of their Exit status.  If not <b>for_exit</b>,

 * we're picking a non-exit node: weight exit-node's bandwidth downwards

 * we're picking a non-exit node: weight exit-node's bandwidth less

 * depending on the smallness of the fraction of Exit-to-total bandwidth.

 */

static void *