Merge branch 'maint-0.4.6' into release-0.4.6

3 files changed, 7 insertions, 2 deletions

diff --git a/changes/bug40645 b/changes/bug40645
new file mode 100644
index 0000000000..044d5b67d2
--- /dev/null
+++ b/changes/bug40645
@@ -0,0 +1,5 @@
+  o Minor bugfixes (defense in depth):
+    - Change a test in the netflow padding code to make it more
+      _obviously_ safe against remotely triggered crashes.
+      (It was safe against these before, but not obviously so.)
+      Fixes bug 40645; bugfix on 0.3.1.1-alpha.
diff --git a/src/core/or/channelpadding.c b/src/core/or/channelpadding.c
index 47a04e5248..1f559f6c42 100644
--- a/src/core/or/channelpadding.c
+++ b/src/core/or/channelpadding.c
@@ -186,7 +186,7 @@ channelpadding_get_netflow_inactive_timeout_ms(const channel_t *chan)
     high_timeout = MAX(high_timeout, chan->padding_timeout_high_ms);
   }
 
-  if (low_timeout == high_timeout)
+  if (low_timeout >= high_timeout)
     return low_timeout; // No randomization
 
   /*
diff --git a/src/core/or/command.c b/src/core/or/command.c
index 1343177db4..c08b255914 100644
--- a/src/core/or/command.c
+++ b/src/core/or/command.c
@@ -664,7 +664,7 @@ command_process_destroy_cell(cell_t *cell, channel_t *chan)
        * DESTROY cell down the circuit so relays can stop queuing in-flight
        * cells for this circuit which helps with memory pressure. */
       log_debug(LD_OR, "Received DESTROY cell from n_chan, closing circuit.");
-      circuit_mark_for_close(circ, END_CIRC_REASON_TORPROTOCOL);
+      circuit_mark_for_close(circ, reason | END_CIRC_REASON_FLAG_REMOTE);
     }
   }
 }