Merge branch 'link_negotiation_assert_023' into release-0.2.3

2012-10-25 10:15:03 -04:00 · 2012-10-25 10:15:03 -04:00 · da336312eb
parent 89dc27b989 758428dd32
commit da336312eb
2 changed files with 15 additions and 0 deletions
--- a/changes/link_negotiation_assert
+++ b/changes/link_negotiation_assert
@ -0,0 +1,6 @@
+  o Major bugfixs (security):
+    - Fix a group of remotely triggerable assertion failures related to
+      incorrect link protocol negotiation. Found, diagnosed, and fixed
+      by "some guy from France." Fix for CVE-2012-2250; bugfix on
+      0.2.3.6-alpha.
+
--- a/src/or/command.c
+++ b/src/or/command.c
@ -719,6 +719,15 @@ command_process_versions_cell(var_cell_t *cell, or_connection_t *conn)
           "handshake. Closing connection.");
    connection_mark_for_close(TO_CONN(conn));
    return;
+  } else if (highest_supported_version != 2 &&
+             conn->_base.state == OR_CONN_STATE_OR_HANDSHAKING_V2) {
+    /* XXXX This should eventually be a log_protocol_warn */
+    log_fn(LOG_WARN, LD_OR,
+           "Negotiated link with non-2 protocol after doing a v2 TLS "
+           "handshake with %s. Closing connection.",
+           fmt_addr(&conn->_base.addr));
+    connection_mark_for_close(TO_CONN(conn));
+    return;
  }

  conn->link_proto = highest_supported_version;