[tor-bugs] #26060 [Core Tor/Stem]: Invalid [Length] field when receiving RELAY cells via stem.client.Circuit

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed May 9 13:16:20 UTC 2018 

#26060: Invalid [Length] field when receiving RELAY cells via stem.client.Circuit
-------------------------------+--------------------
     Reporter:  plcp           |      Owner:  atagar
         Type:  defect         |     Status:  new
     Priority:  Medium         |  Milestone:
    Component:  Core Tor/Stem  |    Version:
     Severity:  Normal         |   Keywords:
Actual Points:                 |  Parent ID:
       Points:                 |   Reviewer:
      Sponsor:                 |
-------------------------------+--------------------
 When receiving data via the `stem.client.Circuit.send` method, the current
 behavior is to unpack the RELAY cell before "repacking-it" in order to get
 a "raw bytes" representation of the ciphertext. The ciphertext is then
 decrypted and the cell repacked.

 See
 https://gitweb.torproject.org/stem.git/tree/stem/client/__init__.py#n250

 However, when a RELAY cell is unpacked, its [Length] field is used as-is:
 hence, a encrypted RELAY may see its content needlessly truncated. Note
 that here the original value of the [Length] field is not retained, thus
 we'll later be unable to retrieve it.

 See https://gitweb.torproject.org/stem.git/tree/stem/client/cell.py#n347

 Finally, when a RELAY cell is packed, the [Length] field is computed from
 the length of the data stored. As this field will later be decrypted, we
 have an invalid [Length] field for every RELAY cell we receive via the
 `stem.client.Circuit send` method.

 See https://gitweb.torproject.org/stem.git/tree/stem/client/cell.py#n335

 (note that was able to fix my local copy of stem by adding an extra
 keyword argument `length=None` to `RelayCell`'s `__init__` method that
 defaults to `len(data)` and by adding an extra keyword argument
 "encrypted" to `RelayCell`'s `_unpack` class method that defaults to
 `False` in order to handle the discrepancy between the
 ciphertext/plaintext cases)

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/26060>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list