We obey sendme cells even when we shouldn't get them

A client can send sendme cells preemptively to the exit relay, allowing:

• cheating on her flow/congestion control, to get her bytes faster

• DoS on the network, by adding way more cells into the network than she was supposed to.

• perhaps a memory DoS on the entry relay, if she stops reading from the TLS connection but keeps up the blitz of sendme cells.

I believe the fix is to tear down the circuit when we get a sendme we should not have gotten.

changed milestone to %Tor: 0.2.3.x-final

added component::core tor/tor milestone::Tor: 0.2.3.x-final priority::high resolution::fixed status::closed tor-relay type::defect labels

see my branch 6252

not intended to go into 0.2.3.18-rc

Trac:
Status: new to needs_review

Looks okay to me.

Merged then.

Trac:
Resolution: N/A to fixed
Status: needs_review to closed

Trac:
Status: closed to reopened
Resolution: fixed to N/A

Hm. Running it on moria1 with protocolwarnings 1, I see quite a few

Jul 01 05:37:54.000 [warn] Bug/attack: unexpected sendme cell from client. Closing circ.
Jul 01 05:37:54.000 [warn] connection_edge_process_relay_cell (away from origin) failed.
Jul 01 05:37:54.000 [warn] circuit_receive_relay_cell (forward) failed. Closing.

I wonder if these are people performing the exploit, or people otherwise doing something unexpected.

Ok, I reverted.

moria1 was seeing circwindows of 1950+ in normal operation.

#6271 (moved) for the new bug.

Trac:
Status: reopened to needs_information

Fyi, I'm running the #6271 (moved) patch and the #6252 (moved) patch on moria1, with no complaints now.

So do you think we can re-cherrypick the 6252 patch again? If so see branch "bug6252_again" in my public repository.

Trac:
Status: needs_information to needs_review

Still no warnings on moria1. What could go wrong! Let's do it.

(should we make the warnings louder for a few versions, in case they show up on, say, exit relays?)

Maybe we should rate-limit them if we do?

Sure.

Or we could merge it into master first, with warnings loud, and later put it into 0.2.3 with fewer warnings?

Or put it into 0.2.3 nice and quiet and make it loud in master. The possibilities are endless. "Feel free" say I

Merging into maint-0.2.3; making the warnings louder in master.

If you want to change that, feel free.

Trac:
Resolution: N/A to fixed
Status: needs_review to closed

Trac:
Keywords: N/A deleted, tor-relay added

Trac:
Component: Tor Relay to Tor

Trac:
notices-sendmecells.log