Opened 10 years ago

Last modified 7 years ago

#1045 closed defect (Not a bug)

Framing TLS records violates the protocol specification.

Reported by: OTU Owned by:
Priority: Low Milestone:
Component: Core Tor/Tor Version: 0.2.0.35
Severity: Keywords:
Cc: Sebastian, nickm Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

The problem is _connection_write_to_buf_impl(), if it
flushes forcely a some bytes from outbuf.
For queued cells (in_flushed_some is true), it never plays
with outbuf_flushlen. So call for connection_handle_write()
triggered only in case of overlapping sets of conditions;
If outbuf_flushlen was equal 15360 before cell_destroy
(or cell_padding) was appended, then flushes of 15872
bytes to TLS record.

Such behavior can leak a type of the last cell, and a some
internal information likes a outbuf's length.

[Automatically added by flyspray2trac: Operating System: All]

Child Tickets

Change History (3)

comment:1 Changed 9 years ago by OTUTOR

I think my diagnosis was wrong. I can't neither reproduce it
on the real network. At the moment I have no idea how to make
the leak reproducable. Sorry for the wasted time.

You can close this bug.

comment:2 Changed 9 years ago by Sebastian

flyspray2trac: bug closed.
Closing by request, please re-open if it happens again

comment:3 Changed 7 years ago by nickm

Component: Tor RelayTor
Note: See TracTickets for help on using tickets.