Merge remote-tracking branch 'nickm/bug6271_part_a' into maint-0.2.3

2 files changed, 13 insertions, 1 deletions

diff --git a/changes/bug6271 b/changes/bug6271
new file mode 100644
index 0000000000..06b129f73f
--- /dev/null
+++ b/changes/bug6271
@@ -0,0 +1,7 @@
+   o Major bugfixes
+
+     - Fix a bug handling SENDME cells on nonexistent streams that
+       could result in bizarre window values. Report and patch
+       contributed pseudymously.  Fixes part of bug 6271. This bug
+       was introduced before the first Tor release, in svn commit
+       r152.
diff --git a/src/or/relay.c b/src/or/relay.c
index 3f894bfe1f..3e418ea13f 100644
--- a/src/or/relay.c
+++ b/src/or/relay.c
@@ -1263,7 +1263,7 @@ connection_edge_process_relay_cell(cell_t *cell, circuit_t *circ,
                "'connected' received, no conn attached anymore. Ignoring.");
       return 0;
     case RELAY_COMMAND_SENDME:
-      if (!conn) {
+      if (!rh.stream_id) {
         if (layer_hint) {
           layer_hint->package_window += CIRCWINDOW_INCREMENT;
           log_debug(LD_APP,"circ-level sendme at origin, packagewindow %d.",
@@ -1278,6 +1278,11 @@ connection_edge_process_relay_cell(cell_t *cell, circuit_t *circ,
         }
         return 0;
       }
+      if (!conn) {
+        log_info(domain,"sendme cell dropped, unknown stream (streamid %d).",
+                 rh.stream_id);
+        return 0;
+      }
       conn->package_window += STREAMWINDOW_INCREMENT;
       log_debug(domain,"stream-level sendme, packagewindow now %d.",
                 conn->package_window);