Verify cpath_layer match on rendezvous cells too. Fixes another case of bug 446. Based on patch from rovv.

svn:r17162

ChangeLog

@@ -37,6 +37,10 @@ Changes in version 0.2.1.7-alpha - 2008-10-xx
     - Fix another case of assuming, when a specific exit is requested,
       that we know more than the user about what hosts it allows.
       Fixes another case of bug 752.  Patch from rovv.
+    - Check which hops rendezvous stream cells are associated with to
+      prevent possible guess-the-streamid injection attacks from
+      intermediate hops.  Fixes another case of bug 446. Based on patch
+      from rovv.
 
 
 Changes in version 0.2.1.6-alpha - 2008-09-30

src/or/or.h

@@ -3963,8 +3963,8 @@ rend_data_free(rend_data_t *data)
 
 int rend_cmp_service_ids(const char *one, const char *two);
 
-void rend_process_relay_cell(circuit_t *circ, int command, size_t length,
-                             const char *payload);
+void rend_process_relay_cell(circuit_t *circ, const crypt_path_t *layer_hint,
+                             int command, size_t length, const char *payload);
 
 void rend_service_descriptor_free(rend_service_descriptor_t *desc);
 int rend_encode_service_descriptor(rend_service_descriptor_t *desc,

src/or/relay.c

@@ -1151,7 +1151,8 @@ connection_edge_process_relay_cell(cell_t *cell, circuit_t *circ,
     case RELAY_COMMAND_RENDEZVOUS2:
     case RELAY_COMMAND_INTRO_ESTABLISHED:
     case RELAY_COMMAND_RENDEZVOUS_ESTABLISHED:
-      rend_process_relay_cell(circ, rh.command, rh.length,
+      rend_process_relay_cell(circ, layer_hint,
+                              rh.command, rh.length,
                               cell->payload+RELAY_HEADER_SIZE);
       return 0;
   }

src/or/rendcommon.c

@@ -1387,16 +1387,24 @@ rend_cache_store_v2_desc_as_client(const char *desc,
 /** Called when we get a rendezvous-related relay cell on circuit
  * <b>circ</b>.  Dispatch on rendezvous relay command. */
 void
-rend_process_relay_cell(circuit_t *circ, int command, size_t length,
+rend_process_relay_cell(circuit_t *circ, const crypt_path_t *layer_hint,
+                        int command, size_t length,
                         const char *payload)
 {
   or_circuit_t *or_circ = NULL;
   origin_circuit_t *origin_circ = NULL;
   int r = -2;
-  if (CIRCUIT_IS_ORIGIN(circ))
+  if (CIRCUIT_IS_ORIGIN(circ)) {
     origin_circ = TO_ORIGIN_CIRCUIT(circ);
-  else
+    if (layer_hint && layer_hint != origin_circ->cpath->prev) {
+      log_fn(LOG_PROTOCOL_WARN, LD_APP,
+             "Relay cell (rend purpose %d) from wrong hop on origin circ",
+             command);
+      origin_circ = NULL;
+    }
+  } else {
     or_circ = TO_OR_CIRCUIT(circ);
+  }
 
   switch (command) {
     case RELAY_COMMAND_ESTABLISH_INTRO: