commit 83135d75a3d87e4fd5f163aecb742180c01d9d0e
parent 9acca040257caf5894126e8da3df7226f6dcd480
Author: Nick Mathewson <nickm@torproject.org>
Date: Thu, 8 Jun 2017 09:21:15 -0400
Merge branch 'maint-0.3.0'
Diffstat:
3 files changed, 11 insertions(+), 3 deletions(-)
diff --git a/changes/trove-2017-004 b/changes/trove-2017-004
@@ -1,8 +1,8 @@
o Major bugfixes (hidden service, relay, security):
- - Fix an assertion failure when an hidden service handles a
+ - Fix an assertion failure when a hidden service handles a
malformed BEGIN cell. This bug resulted in the service crashing
triggered by a tor_assert(). Fixes bug 22493, tracked as
- TROVE-2017-004 and as CVE-2017-0375; bugfix on tor-0.3.0.1-alpha.
+ TROVE-2017-004 and as CVE-2017-0375; bugfix on 0.3.0.1-alpha.
Found by armadev.
diff --git a/changes/trove-2017-005 b/changes/trove-2017-005
@@ -0,0 +1,7 @@
+ o Major bugfixes (hidden service, relay, security):
+ - Fix an assertion failure caused by receiving a BEGIN_DIR cell on
+ a hidden service rendezvous circuit. Fixes bug 22494, tracked as
+ TROVE-2017-005 and CVE-2017-0376; bugfix on 0.2.2.1-alpha. Found
+ by armadev.
+
+
diff --git a/src/or/relay.c b/src/or/relay.c
@@ -1636,7 +1636,8 @@ connection_edge_process_relay_cell(cell_t *cell, circuit_t *circ,
"Begin cell for known stream. Dropping.");
return 0;
}
- if (rh.command == RELAY_COMMAND_BEGIN_DIR) {
+ if (rh.command == RELAY_COMMAND_BEGIN_DIR &&
+ circ->purpose != CIRCUIT_PURPOSE_S_REND_JOINED) {
/* Assign this circuit and its app-ward OR connection a unique ID,
* so that we can measure download times. The local edge and dir
* connection will be assigned the same ID when they are created
