[tor-bugs] #10777 [Tor]: Remotely triggerable circuit destruction by path bias code

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon Feb 10 02:38:27 UTC 2014


#10777: Remotely triggerable circuit destruction by path bias code
-----------------------------+-----------------------------------
     Reporter:  cypherpunks  |      Owner:
         Type:  defect       |     Status:  needs_review
     Priority:  major        |  Milestone:  Tor: 0.2.4.x-final
    Component:  Tor          |    Version:
   Resolution:               |   Keywords:  tor-client regression
Actual Points:               |  Parent ID:
       Points:               |
-----------------------------+-----------------------------------
Changes (by nickm):

 * cc: mikeperry (added)
 * status:  needs_information => needs_review


Comment:

 To be clear, it's circuit destruction that's triggerable by the exit node,
 right?  But the exit node can already trigger circuit destruction by
 sending a DESTROY cell.  The real problematic case is if the user can be
 tricked into sending something that causes an ENETUNREACH response from
 the exit node.

 In any case, we should ENETUNREACH to give NOROUTE.  There's a patch for
 that as "bug10777_noroute_024"

 If a third party *can* trigger this, we need to remove the case
 END_STREAM_REASON_INTERNAL case from connection_ap_process_end_notopen,
 treating it as neither a path-bias success nor a path-bias failure.
 There's a patch for that as "bug10777_nointernal_024."

 Mike, I am leaning towards merging both.  Please let me know if this makes
 path bias useless.

 Also, there's maybe a third bug: If the user triggered this by using
 MapAddress to map advertising networks to some netblock we should have
 recognized as private., that should probably have taken effect and caused
 the stream to get blocked connection to a private address *before* the
 RELAY_BEGIN cell is ever sent.  (Was it a private network block, or
 something else?)

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/10777#comment:8>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list