[or-cvs] r6939: defense in depth (tor/trunk/src/or)

[arma at seul.org]

Author: arma
Date: 2006-07-30 00:32:58 -0400 (Sun, 30 Jul 2006)
New Revision: 6939

Modified:
   tor/trunk/src/or/circuitbuild.c
   tor/trunk/src/or/command.c
   tor/trunk/src/or/connection_edge.c
Log:
defense in depth


Modified: tor/trunk/src/or/circuitbuild.c
===================================================================
--- tor/trunk/src/or/circuitbuild.c	2006-07-30 03:53:18 UTC (rev 6938)
+++ tor/trunk/src/or/circuitbuild.c	2006-07-30 04:32:58 UTC (rev 6939)
@@ -625,11 +625,17 @@
   char *id_digest=NULL;
 
   if (circ->n_conn) {
-    log_fn(LOG_PROTOCOL_WARN,LD_PROTOCOL,
+    log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
            "n_conn already set. Bug/attack. Closing.");
     return -1;
   }
 
+  if (!server_mode(get_options())) {
+    log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
+           "Got an extend cell, but running as a client. Closing.");
+    return -1;
+  }
+
   relay_header_unpack(&rh, cell->payload);
 
   if (rh.length < 4+2+ONIONSKIN_CHALLENGE_LEN+DIGEST_LEN) {

Modified: tor/trunk/src/or/command.c
===================================================================
--- tor/trunk/src/or/command.c	2006-07-30 03:53:18 UTC (rev 6938)
+++ tor/trunk/src/or/command.c	2006-07-30 04:32:58 UTC (rev 6939)
@@ -173,6 +173,16 @@
     return;
   }
 
+  if (!server_mode(get_options())) {
+    log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
+           "Received create cell (type %d) from %s:%d, but we're a client. "
+           "Sending back a destroy.",
+           (int)cell->command, conn->_base.address, conn->_base.port);
+    connection_or_send_destroy(cell->circ_id, conn,
+                               END_CIRC_REASON_TORPROTOCOL);
+    return;
+  }
+
   /* If the high bit of the circuit ID is not as expected, close the
    * circ. */
   id_is_high = cell->circ_id & (1<<15);

Modified: tor/trunk/src/or/connection_edge.c
===================================================================
--- tor/trunk/src/or/connection_edge.c	2006-07-30 03:53:18 UTC (rev 6938)
+++ tor/trunk/src/or/connection_edge.c	2006-07-30 04:32:58 UTC (rev 6939)
@@ -1598,12 +1598,20 @@
   uint16_t port;
 
   assert_circuit_ok(circ);
-  relay_header_unpack(&rh, cell->payload);
 
   /* XXX currently we don't send an end cell back if we drop the
    * begin because it's malformed.
    */
 
+  if (!server_mode(get_options()) &&
+      circ->purpose != CIRCUIT_PURPOSE_S_REND_JOINED) {
+    log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
+           "Relay begin cell at non-server. Dropping.");
+    return 0;
+  }
+
+  relay_header_unpack(&rh, cell->payload);
+
   if (!memchr(cell->payload+RELAY_HEADER_SIZE, 0, rh.length)) {
     log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
            "Relay begin cell has no \\0. Dropping.");