15 лет назад · ee31e0829e
--- a/ChangeLog
+++ b/ChangeLog
@@ -37,6 +37,10 @@ Changes in version 0.2.1.7-alpha - 2008-10-xx
 
				     - Fix another case of assuming, when a specific exit is requested,
			
 
				       that we know more than the user about what hosts it allows.
			
 
				       Fixes another case of bug 752.  Patch from rovv.
			
 
				+    - Check which hops rendezvous stream cells are associated with to
			
 
				+      prevent possible guess-the-streamid injection attacks from
			
 
				+      intermediate hops.  Fixes another case of bug 446. Based on patch
			
 
				+      from rovv.
			
 
				 
			
 
				 
			
 
				 Changes in version 0.2.1.6-alpha - 2008-09-30
			
--- a/src/or/or.h
+++ b/src/or/or.h
@@ -3963,8 +3963,8 @@ rend_data_free(rend_data_t *data)
 
				 
			
 
				 int rend_cmp_service_ids(const char *one, const char *two);
			
 
				 
			
 
				-void rend_process_relay_cell(circuit_t *circ, int command, size_t length,
			
 
				-                             const char *payload);
			
 
				+void rend_process_relay_cell(circuit_t *circ, const crypt_path_t *layer_hint,
			
 
				+                             int command, size_t length, const char *payload);
			
 
				 
			
 
				 void rend_service_descriptor_free(rend_service_descriptor_t *desc);
			
 
				 int rend_encode_service_descriptor(rend_service_descriptor_t *desc,
			
--- a/src/or/relay.c
+++ b/src/or/relay.c
@@ -1151,7 +1151,8 @@ connection_edge_process_relay_cell(cell_t *cell, circuit_t *circ,
 
				     case RELAY_COMMAND_RENDEZVOUS2:
			
 
				     case RELAY_COMMAND_INTRO_ESTABLISHED:
			
 
				     case RELAY_COMMAND_RENDEZVOUS_ESTABLISHED:
			
 
				-      rend_process_relay_cell(circ, rh.command, rh.length,
			
 
				+      rend_process_relay_cell(circ, layer_hint,
			
 
				+                              rh.command, rh.length,
			
 
				                               cell->payload+RELAY_HEADER_SIZE);
			
 
				       return 0;
			
 
				   }
			
--- a/src/or/rendcommon.c
+++ b/src/or/rendcommon.c
@@ -1387,16 +1387,24 @@ rend_cache_store_v2_desc_as_client(const char *desc,
 
				 /** Called when we get a rendezvous-related relay cell on circuit
			
 
				  * <b>circ</b>.  Dispatch on rendezvous relay command. */
			
 
				 void
			
 
				-rend_process_relay_cell(circuit_t *circ, int command, size_t length,
			
 
				+rend_process_relay_cell(circuit_t *circ, const crypt_path_t *layer_hint,
			
 
				+                        int command, size_t length,
			
 
				                         const char *payload)
			
 
				 {
			
 
				   or_circuit_t *or_circ = NULL;
			
 
				   origin_circuit_t *origin_circ = NULL;
			
 
				   int r = -2;
			
 
				-  if (CIRCUIT_IS_ORIGIN(circ))
			
 
				+  if (CIRCUIT_IS_ORIGIN(circ)) {
			
 
				     origin_circ = TO_ORIGIN_CIRCUIT(circ);
			
 
				-  else
			
 
				+    if (layer_hint && layer_hint != origin_circ->cpath->prev) {
			
 
				+      log_fn(LOG_PROTOCOL_WARN, LD_APP,
			
 
				+             "Relay cell (rend purpose %d) from wrong hop on origin circ",
			
 
				+             command);
			
 
				+      origin_circ = NULL;
			
 
				+    }
			
 
				+  } else {
			
 
				     or_circ = TO_OR_CIRCUIT(circ);
			
 
				+  }
			
 
				 
			
 
				   switch (command) {
			
 
				     case RELAY_COMMAND_ESTABLISH_INTRO: