We obey sendme cells even when we shouldn't get them

A client can send sendme cells preemptively to the exit relay, allowing:

• cheating on her flow/congestion control, to get her bytes faster

• DoS on the network, by adding way more cells into the network than she was supposed to.

• perhaps a memory DoS on the entry relay, if she stops reading from the TLS connection but keeps up the blitz of sendme cells.

I believe the fix is to tear down the circuit when we get a sendme we should not have gotten.

changed milestone to %Tor: 0.2.3.x-final in legacy/trac

added component::core tor/tor in Legacy / Trac milestone::Tor: 0.2.3.x-final in Legacy / Trac priority::high in Legacy / Trac resolution::fixed in Legacy / Trac status::closed in Legacy / Trac tor-relay in Legacy / Trac type::defect in Legacy / Trac labels

see my branch 6252

not intended to go into 0.2.3.18-rc

Trac:
Status: new to needs_review

Looks okay to me.

Merged then.

Trac:
Resolution: N/A to fixed
Status: needs_review to closed

Trac:
Status: closed to reopened
Resolution: fixed to N/A

Hm. Running it on moria1 with protocolwarnings 1, I see quite a few

Jul 01 05:37:54.000 [warn] Bug/attack: unexpected sendme cell from client. Closing circ.
Jul 01 05:37:54.000 [warn] connection_edge_process_relay_cell (away from origin) failed.
Jul 01 05:37:54.000 [warn] circuit_receive_relay_cell (forward) failed. Closing.

I wonder if these are people performing the exploit, or people otherwise doing something unexpected.

Ok, I reverted.

moria1 was seeing circwindows of 1950+ in normal operation.

legacy/trac#6271 (moved) for the new bug.

Trac:
Status: reopened to needs_information

Fyi, I'm running the legacy/trac#6271 (moved) patch and the legacy/trac#6252 (moved) patch on moria1, with no complaints now.

So do you think we can re-cherrypick the 6252 patch again? If so see branch "bug6252_again" in my public repository.

Trac:
Status: needs_information to needs_review

Still no warnings on moria1. What could go wrong! Let's do it.

(should we make the warnings louder for a few versions, in case they show up on, say, exit relays?)

Maybe we should rate-limit them if we do?

Sure.

Or we could merge it into master first, with warnings loud, and later put it into 0.2.3 with fewer warnings?

Or put it into 0.2.3 nice and quiet and make it loud in master. The possibilities are endless. "Feel free" say I

Merging into maint-0.2.3; making the warnings louder in master.

If you want to change that, feel free.

Trac:
Resolution: N/A to fixed
Status: needs_review to closed

Trac:
Keywords: N/A deleted, tor-relay added

Trac:
Component: Tor Relay to Tor

Trac:
notices-sendmecells.log

grep "Bug/attack" /var/log/tor/notices*

Replying to arma:

(should we make the warnings louder for a few versions, in case they show up on, say, exit relays?)

I'm not sure if this is interesting, but I see these warnings quite often on our exits. (see attachment for example)

Tor 0.2.4.6-alpha (git-6fd93dcf3fbabe2b) straight from deb repository.

closed

mentioned in issue legacy/trac#6271 (moved)

mentioned in issue legacy/trac#8093 (moved)

mentioned in issue legacy/trac#8185 (moved)

mentioned in issue legacy/trac#9063 (moved)

moved from legacy/trac#6252 (moved)

mentioned in issue #9063 (closed)

added Bug label and removed 1 deleted label

added Relay label and removed 1 deleted label