diff options
| author | Roger Dingledine <arma@torproject.org> | 2007-07-12 17:16:18 +0000 |
|---|---|---|
| committer | Roger Dingledine <arma@torproject.org> | 2007-07-12 17:16:18 +0000 |
| commit | c222971b5ae4a357e2e7d02461e7e2f5aa251c97 (patch) | |
| tree | dc19e47f806edc83a201182612197f4347add158 | |
| parent | d9cee674795edd7658e7695837dd860d825a8b74 (diff) | |
| download | tor-c222971b5ae4a357e2e7d02461e7e2f5aa251c97.tar.gz tor-c222971b5ae4a357e2e7d02461e7e2f5aa251c97.zip | |
backport r10818: prevent streamid collisions on relay cells
svn:r10819
| -rw-r--r-- | ChangeLog | 3 | ||||
| -rw-r--r-- | src/or/relay.c | 12 |
2 files changed, 11 insertions, 4 deletions
@@ -24,6 +24,9 @@ Changes in version 0.1.2.15 - 2007-0?-?? - When sending destroy cells from a circuit's origin, don't include the reason for tearing down the circuit. The spec says we didn't, and now we actually don't. Reported by lodger. + - Keep streamids from different exits on a circuit separate. This + bug may have allowed other routers on a given circuit to inject + cells into streams. Reported by lodger; fixes bug 446. o Minor bugfixes (directory) - Count the number of authorities that recommend each version diff --git a/src/or/relay.c b/src/or/relay.c index 28d77cc4a5..bce0b1448a 100644 --- a/src/or/relay.c +++ b/src/or/relay.c @@ -17,7 +17,8 @@ const char relay_c_id[] = static int relay_crypt(circuit_t *circ, cell_t *cell, int cell_direction, crypt_path_t **layer_hint, char *recognized); static edge_connection_t *relay_lookup_conn(circuit_t *circ, cell_t *cell, - int cell_direction); + int cell_direction, + crypt_path_t *layer_hint); static int connection_edge_process_relay_cell(cell_t *cell, circuit_t *circ, @@ -162,7 +163,8 @@ circuit_receive_relay_cell(cell_t *cell, circuit_t *circ, int cell_direction) } if (recognized) { - edge_connection_t *conn = relay_lookup_conn(circ, cell, cell_direction); + edge_connection_t *conn = relay_lookup_conn(circ, cell, cell_direction, + layer_hint); if (cell_direction == CELL_DIRECTION_OUT) { ++stats_n_relay_cells_delivered; log_debug(LD_OR,"Sending away from origin."); @@ -372,7 +374,8 @@ circuit_package_relay_cell(cell_t *cell, circuit_t *circ, * attached to circ, return that conn, else return NULL. */ static edge_connection_t * -relay_lookup_conn(circuit_t *circ, cell_t *cell, int cell_direction) +relay_lookup_conn(circuit_t *circ, cell_t *cell, int cell_direction, + crypt_path_t *layer_hint) { edge_connection_t *tmpconn; relay_header_t rh; @@ -390,7 +393,8 @@ relay_lookup_conn(circuit_t *circ, cell_t *cell, int cell_direction) for (tmpconn = TO_ORIGIN_CIRCUIT(circ)->p_streams; tmpconn; tmpconn=tmpconn->next_stream) { if (rh.stream_id == tmpconn->stream_id && - !tmpconn->_base.marked_for_close) { + !tmpconn->_base.marked_for_close && + tmpconn->cpath_layer == layer_hint) { log_debug(LD_APP,"found conn for stream %d.", rh.stream_id); return tmpconn; } |