diff options
| author | Nick Mathewson <nickm@torproject.org> | 2014-08-13 23:14:28 -0400 |
|---|---|---|
| committer | Nick Mathewson <nickm@torproject.org> | 2014-08-13 23:14:28 -0400 |
| commit | d443658fade3b4090d0b93903b4aec857cab03ea (patch) | |
| tree | a63e8ddaf855ae9d549e0c2693f6e50c4127dd85 | |
| parent | 789c8d8573b9969acd808bb19d211d4ae9ac3be4 (diff) | |
| parent | 0044d74b3c51cf5824435e76eca2a675b51a14bc (diff) | |
| download | tor-d443658fade3b4090d0b93903b4aec857cab03ea.tar.gz tor-d443658fade3b4090d0b93903b4aec857cab03ea.zip | |
Merge remote-tracking branch 'public/bug12848_024' into maint-0.2.5
Conflicts:
src/or/circuitbuild.c
| -rw-r--r-- | changes/bug12848 | 4 | ||||
| -rw-r--r-- | src/or/channel.c | 8 | ||||
| -rw-r--r-- | src/or/circuitbuild.c | 12 |
3 files changed, 20 insertions, 4 deletions
diff --git a/changes/bug12848 b/changes/bug12848 new file mode 100644 index 0000000000..7aa79c395e --- /dev/null +++ b/changes/bug12848 @@ -0,0 +1,4 @@ + o Major bugfixes (relay): + - Avoid queuing or sending destroy cells for circuit ID zero when + we fail to send a CREATE cell. Fixes bug 12848; bugfix on + 0.0.8pre1. Found and fixed by "cypherpunks". diff --git a/src/or/channel.c b/src/or/channel.c index 3072effc8f..ffd68493d0 100644 --- a/src/or/channel.c +++ b/src/or/channel.c @@ -2682,6 +2682,14 @@ int channel_send_destroy(circid_t circ_id, channel_t *chan, int reason) { tor_assert(chan); + if (circ_id == 0) { + log_warn(LD_BUG, "Attempted to send a destroy cell for circID 0 " + "on a channel " U64_FORMAT " at %p in state %s (%d)", + U64_PRINTF_ARG(chan->global_identifier), + chan, channel_state_to_string(chan->state), + chan->state); + return 0; + } /* Check to make sure we can send on this channel first */ if (!(chan->state == CHANNEL_STATE_CLOSING || diff --git a/src/or/circuitbuild.c b/src/or/circuitbuild.c index 283afee31f..897f90fe4c 100644 --- a/src/or/circuitbuild.c +++ b/src/or/circuitbuild.c @@ -549,6 +549,7 @@ circuit_handle_first_hop(origin_circuit_t *circ) log_debug(LD_CIRC,"Conn open. Delivering first onion skin."); if ((err_reason = circuit_send_next_onion_skin(circ)) < 0) { log_info(LD_CIRC,"circuit_send_next_onion_skin failed."); + circ->base_.n_chan = NULL; return err_reason; } } @@ -660,18 +661,18 @@ circuit_deliver_create_cell(circuit_t *circ, const create_cell_t *create_cell, static ratelim_t circid_warning_limit = RATELIM_INIT(9600); log_fn_ratelim(&circid_warning_limit, LOG_WARN, LD_CIRC, "failed to get unique circID."); - return -1; + goto error; } - log_debug(LD_CIRC,"Chosen circID %u.", (unsigned)id); - circuit_set_n_circid_chan(circ, id, circ->n_chan); memset(&cell, 0, sizeof(cell_t)); r = relayed ? create_cell_format_relayed(&cell, create_cell) : create_cell_format(&cell, create_cell); if (r < 0) { log_warn(LD_CIRC,"Couldn't format create cell"); - return -1; + goto error; } + log_debug(LD_CIRC,"Chosen circID %u.", (unsigned)id); + circuit_set_n_circid_chan(circ, id, circ->n_chan); cell.circ_id = circ->n_circ_id; append_cell_to_circuit_queue(circ, circ->n_chan, &cell, @@ -695,6 +696,9 @@ circuit_deliver_create_cell(circuit_t *circ, const create_cell_t *create_cell, } return 0; + error: + circ->n_chan = NULL; + return -1; } /** We've decided to start our reachability testing. If all |