[tor-bugs] #10777 [Tor]: Remotely triggerable circuit destruction by path bias code
Tor Bug Tracker & Wiki
blackhole at torproject.org
Mon Feb 10 02:38:27 UTC 2014
#10777: Remotely triggerable circuit destruction by path bias code
-----------------------------+-----------------------------------
Reporter: cypherpunks | Owner:
Type: defect | Status: needs_review
Priority: major | Milestone: Tor: 0.2.4.x-final
Component: Tor | Version:
Resolution: | Keywords: tor-client regression
Actual Points: | Parent ID:
Points: |
-----------------------------+-----------------------------------
Changes (by nickm):
* cc: mikeperry (added)
* status: needs_information => needs_review
Comment:
To be clear, it's circuit destruction that's triggerable by the exit node,
right? But the exit node can already trigger circuit destruction by
sending a DESTROY cell. The real problematic case is if the user can be
tricked into sending something that causes an ENETUNREACH response from
the exit node.
In any case, we should ENETUNREACH to give NOROUTE. There's a patch for
that as "bug10777_noroute_024"
If a third party *can* trigger this, we need to remove the case
END_STREAM_REASON_INTERNAL case from connection_ap_process_end_notopen,
treating it as neither a path-bias success nor a path-bias failure.
There's a patch for that as "bug10777_nointernal_024."
Mike, I am leaning towards merging both. Please let me know if this makes
path bias useless.
Also, there's maybe a third bug: If the user triggered this by using
MapAddress to map advertising networks to some netblock we should have
recognized as private., that should probably have taken effect and caused
the stream to get blocked connection to a private address *before* the
RELAY_BEGIN cell is ever sent. (Was it a private network block, or
something else?)
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/10777#comment:8>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list