From c217699db1c5be02a59d7367decdb92b32827210 Mon Sep 17 00:00:00 2001 From: Cecylia Bocovich Date: Wed, 25 Sep 2024 09:06:35 -0400 Subject: [PATCH] Bug 40976: Ensure conflux guards obey family and subnet restrictions --- changes/ticket40976 | 4 ++++ src/feature/client/entrynodes.c | 15 ++++++++++----- src/feature/client/entrynodes.h | 2 +- 3 files changed, 15 insertions(+), 6 deletions(-) create mode 100644 changes/ticket40976 diff --git a/changes/ticket40976 b/changes/ticket40976 new file mode 100644 index 0000000000..7f6bbb4389 --- /dev/null +++ b/changes/ticket40976 @@ -0,0 +1,4 @@ + o Major bugfixes (conflux): + - Ensure conflux guards obey family and subnet restrictions. Fixes bug + 40976; bugfix on 0.4.8.13. + diff --git a/src/feature/client/entrynodes.c b/src/feature/client/entrynodes.c index dee41fefa8..e79b4ad858 100644 --- a/src/feature/client/entrynodes.c +++ b/src/feature/client/entrynodes.c @@ -1595,13 +1595,15 @@ guard_create_exit_restriction(const uint8_t *exit_id) /* Allocate and return a new exit guard restriction that excludes all current * and pending conflux guards */ STATIC entry_guard_restriction_t * -guard_create_conflux_restriction(const origin_circuit_t *circ) +guard_create_conflux_restriction(const origin_circuit_t *circ, + const uint8_t *exit_id) { entry_guard_restriction_t *rst = NULL; rst = tor_malloc_zero(sizeof(entry_guard_restriction_t)); rst->type = RST_EXCL_LIST; rst->excluded = smartlist_new(); conflux_add_guards_to_exclude_list(circ, rst->excluded); + memcpy(rst->exclude_id, exit_id, DIGEST_LEN); return rst; } @@ -1653,7 +1655,8 @@ static int guard_obeys_exit_restriction(const entry_guard_t *guard, const entry_guard_restriction_t *rst) { - tor_assert(rst->type == RST_EXIT_NODE); + tor_assert(rst->type == RST_EXIT_NODE || + rst->type == RST_EXCL_LIST); // Exclude the exit ID and all of its family. const node_t *node = node_get_by_id((const char*)rst->exclude_id); @@ -1709,7 +1712,8 @@ entry_guard_obeys_restriction(const entry_guard_t *guard, } else if (rst->type == RST_OUTDATED_MD_DIRSERVER) { return guard_obeys_md_dirserver_restriction(guard); } else if (rst->type == RST_EXCL_LIST) { - return !smartlist_contains_digest(rst->excluded, guard->identity); + return guard_obeys_exit_restriction(guard, rst) && + !smartlist_contains_digest(rst->excluded, guard->identity); } tor_assert_nonfatal_unreached(); @@ -3875,8 +3879,9 @@ guards_choose_guard(const origin_circuit_t *circ, entry_guard_restriction_t *rst = NULL; /* If we this is a conflux circuit, build an exclusion list for it. */ - if (CIRCUIT_IS_CONFLUX(TO_CIRCUIT(circ))) { - rst = guard_create_conflux_restriction(circ); + if (CIRCUIT_IS_CONFLUX(TO_CIRCUIT(circ)) && state + && (exit_id = build_state_get_exit_rsa_id(state))) { + rst = guard_create_conflux_restriction(circ, exit_id); /* Don't allow connecting back to the exit if there is one */ if (state && (exit_id = build_state_get_exit_rsa_id(state))) { /* add the exit_id to the excluded list */ diff --git a/src/feature/client/entrynodes.h b/src/feature/client/entrynodes.h index 2a94775430..515585e7e2 100644 --- a/src/feature/client/entrynodes.h +++ b/src/feature/client/entrynodes.h @@ -605,7 +605,7 @@ STATIC entry_guard_restriction_t *guard_create_exit_restriction( STATIC entry_guard_restriction_t *guard_create_dirserver_md_restriction(void); STATIC entry_guard_restriction_t * guard_create_conflux_restriction( - const origin_circuit_t *circ); + const origin_circuit_t *circ, const uint8_t *exit_id); STATIC void entry_guard_restriction_free_(entry_guard_restriction_t *rst); #define entry_guard_restriction_free(rst) \ -- 2.11.4.GIT