tor

The Tor anonymity network
git clone https://git.dasho.dev/tor.git
Log | Files | Refs | README | LICENSE
commit 8734eea31ba1634474d519240b7bc5141c4becbd
parent d9edf143abd05378246ebeadf0834d6ef57928fd
Author: Nick Mathewson <nickm@torproject.org>
Date:   Thu, 10 Jun 2021 08:53:07 -0400

Merge branch 'maint-0.4.6'

Diffstat:

Achanges/ticket40389 | 3+++


Msrc/core/or/relay.c | 39+++++++++++++++++++++++++++++++++++++++


2 files changed, 42 insertions(+), 0 deletions(-)

diff --git a/changes/ticket40389 b/changes/ticket40389
@@ -0,0 +1,3 @@
+  o Major bugfixes (relay, TROVE):
+    - Don't allow entry or middle relays to spoof RELAY_END or RELAY_RESOLVED
+      cell on half-closed streams. Fixes bug 40389; bugfix on 0.3.5.1-alpha.
diff --git a/src/core/or/relay.c b/src/core/or/relay.c
@@ -1505,6 +1505,25 @@ connection_edge_process_relay_cell_not_open(
 //  return -1;
 }
 
+/**
+ * Return true iff our decryption layer_hint is from the last hop
+ * in a circuit.
+ */
+static bool
+relay_crypt_from_last_hop(origin_circuit_t *circ, crypt_path_t *layer_hint)
+{
+  tor_assert(circ);
+  tor_assert(layer_hint);
+  tor_assert(circ->cpath);
+
+  if (layer_hint != circ->cpath->prev) {
+    log_fn(LOG_PROTOCOL_WARN, LD_CIRC,
+           "Got unexpected relay data from intermediate hop");
+    return false;
+  }
+  return true;
+}
+
 /** Process a SENDME cell that arrived on <b>circ</b>. If it is a stream level
  * cell, it is destined for the given <b>conn</b>. If it is a circuit level
  * cell, it is destined for the <b>layer_hint</b>. The <b>domain</b> is the
@@ -1725,8 +1744,17 @@ handle_relay_cell_command(cell_t *cell, circuit_t *circ,
       if (!conn) {
         if (CIRCUIT_IS_ORIGIN(circ)) {
           origin_circuit_t *ocirc = TO_ORIGIN_CIRCUIT(circ);
+<<<<<<< HEAD
           if (connection_half_edge_is_valid_end(ocirc->half_streams,
                                                 rh->stream_id)) {
+||||||| d71bf986b4faf7
+          if (connection_half_edge_is_valid_end(ocirc->half_streams,
+                                                rh.stream_id)) {
+=======
+          if (relay_crypt_from_last_hop(ocirc, layer_hint) &&
+              connection_half_edge_is_valid_end(ocirc->half_streams,
+                                                rh.stream_id)) {
+>>>>>>> maint-0.3.5
 
             circuit_read_valid_data(ocirc, rh->length);
             log_info(domain,
@@ -1935,9 +1963,20 @@ handle_relay_cell_command(cell_t *cell, circuit_t *circ,
 
       if (CIRCUIT_IS_ORIGIN(circ)) {
         origin_circuit_t *ocirc = TO_ORIGIN_CIRCUIT(circ);
+<<<<<<< HEAD
         if (connection_half_edge_is_valid_resolved(ocirc->half_streams,
                                                     rh->stream_id)) {
           circuit_read_valid_data(ocirc, rh->length);
+||||||| d71bf986b4faf7
+        if (connection_half_edge_is_valid_resolved(ocirc->half_streams,
+                                                    rh.stream_id)) {
+          circuit_read_valid_data(ocirc, rh.length);
+=======
+        if (relay_crypt_from_last_hop(ocirc, layer_hint) &&
+            connection_half_edge_is_valid_resolved(ocirc->half_streams,
+                                                    rh.stream_id)) {
+          circuit_read_valid_data(ocirc, rh.length);
+>>>>>>> maint-0.3.5
           log_info(domain,
                    "resolved cell on circ %u valid on half-closed "
                    "stream id %d", ocirc->global_identifier, rh->stream_id);