Opened 8 years ago

Closed 5 years ago

#7947 closed defect (fixed)

Do handle TRUNCATE command properly if circuit pending still

Reported by: cypherpunks Owned by:
Priority: Medium Milestone: Tor: 0.2.4.x-final
Component: Core Tor/Tor Version:
Severity: Keywords: tor-relay 023-backport
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

--- relay.c.orig
+++ relay.c
@@ -1354,6 +1354,12 @@
                "'truncate' unsupported at origin. Dropping.");
         return 0;
       }
+      if (circ->n_hop) {
+        extend_info_free(circ->n_hop);
+        circ->n_hop = NULL;
+        tor_free(circ->n_chan_create_cell);
+        circuit_set_state(circ, CIRCUIT_STATE_OPEN);
+      }
       if (circ->n_chan) {
         uint8_t trunc_reason = get_uint8(cell->payload + RELAY_HEADER_SIZE);
         circuit_clear_cell_queue(circ, circ->n_chan);

Child Tickets

Change History (6)

comment:1 Changed 8 years ago by nickm

Keywords: tor-relay added

Should that be:

      if (circ->n_hop && !circ->n_chan) {

And is this tested?

comment:2 Changed 8 years ago by cypherpunks

circ->n_hop and circ->n_chan can't be set in the same time anyway. You could place tor_assert(!circ->n_chan) for sure.

No, it wasn't tested. It even makes attack-with-zillion-connections-to-internet even easy, no need to buld new circuits or wait success of extend request -- just truncate and extend to new target. But you can't prevent it if no fix placed, anyway. Legitimate client still have purpose not to wait for answer to truncate non finished extend request yet and repeat to new address, even if no connection complete or no create cell flushed yet or something else.

comment:3 Changed 7 years ago by nickm

Status: newneeds_review

comment:4 Changed 7 years ago by nickm

Keywords: 023-backport added
Milestone: Tor: 0.2.4.x-finalTor: 0.2.3.x-final

Merged!The code is in my branch "bug7947" and should be considered for 0.2.3 backport.

comment:5 Changed 7 years ago by arma

This seems like a matter of protocol correctness for a behavior no Tor currently generates. I think there's no need to get it into 0.2.3.

comment:6 Changed 5 years ago by nickm

Milestone: Tor: 0.2.3.x-finalTor: 0.2.4.x-final
Resolution: fixed
Status: needs_reviewclosed

Marking a batch of tickets that had been under consideration for 0.2.3 backport as fixed-in-0.2.4. There is no plan for further 0.2.3 releases.

Note: See TracTickets for help on using tickets.