summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNick Mathewson <nickm@torproject.org>2014-08-13 23:15:44 -0400
committerNick Mathewson <nickm@torproject.org>2014-08-13 23:15:44 -0400
commitc69e96680a8db0d3d0c20e68f8f8d6727470ece4 (patch)
tree5d3fb2a476a7a7f7b9189e5816ba8988dad72f9d
parent283730ad1cdd911d1a669ea730741f35aa6b7f66 (diff)
parentd443658fade3b4090d0b93903b4aec857cab03ea (diff)
downloadtor-c69e96680a8db0d3d0c20e68f8f8d6727470ece4.tar.gz
tor-c69e96680a8db0d3d0c20e68f8f8d6727470ece4.zip
Merge remote-tracking branch 'origin/maint-0.2.5'
-rw-r--r--changes/bug128484
-rw-r--r--src/or/channel.c8
-rw-r--r--src/or/circuitbuild.c12
3 files changed, 20 insertions, 4 deletions
diff --git a/changes/bug12848 b/changes/bug12848
new file mode 100644
index 0000000000..7aa79c395e
--- /dev/null
+++ b/changes/bug12848
@@ -0,0 +1,4 @@
+ o Major bugfixes (relay):
+ - Avoid queuing or sending destroy cells for circuit ID zero when
+ we fail to send a CREATE cell. Fixes bug 12848; bugfix on
+ 0.0.8pre1. Found and fixed by "cypherpunks".
diff --git a/src/or/channel.c b/src/or/channel.c
index 3072effc8f..ffd68493d0 100644
--- a/src/or/channel.c
+++ b/src/or/channel.c
@@ -2682,6 +2682,14 @@ int
channel_send_destroy(circid_t circ_id, channel_t *chan, int reason)
{
tor_assert(chan);
+ if (circ_id == 0) {
+ log_warn(LD_BUG, "Attempted to send a destroy cell for circID 0 "
+ "on a channel " U64_FORMAT " at %p in state %s (%d)",
+ U64_PRINTF_ARG(chan->global_identifier),
+ chan, channel_state_to_string(chan->state),
+ chan->state);
+ return 0;
+ }
/* Check to make sure we can send on this channel first */
if (!(chan->state == CHANNEL_STATE_CLOSING ||
diff --git a/src/or/circuitbuild.c b/src/or/circuitbuild.c
index 2b17d1faba..edf7d2863e 100644
--- a/src/or/circuitbuild.c
+++ b/src/or/circuitbuild.c
@@ -549,6 +549,7 @@ circuit_handle_first_hop(origin_circuit_t *circ)
log_debug(LD_CIRC,"Conn open. Delivering first onion skin.");
if ((err_reason = circuit_send_next_onion_skin(circ)) < 0) {
log_info(LD_CIRC,"circuit_send_next_onion_skin failed.");
+ circ->base_.n_chan = NULL;
return err_reason;
}
}
@@ -660,18 +661,18 @@ circuit_deliver_create_cell(circuit_t *circ, const create_cell_t *create_cell,
static ratelim_t circid_warning_limit = RATELIM_INIT(9600);
log_fn_ratelim(&circid_warning_limit, LOG_WARN, LD_CIRC,
"failed to get unique circID.");
- return -1;
+ goto error;
}
- log_debug(LD_CIRC,"Chosen circID %u.", (unsigned)id);
- circuit_set_n_circid_chan(circ, id, circ->n_chan);
memset(&cell, 0, sizeof(cell_t));
r = relayed ? create_cell_format_relayed(&cell, create_cell)
: create_cell_format(&cell, create_cell);
if (r < 0) {
log_warn(LD_CIRC,"Couldn't format create cell");
- return -1;
+ goto error;
}
+ log_debug(LD_CIRC,"Chosen circID %u.", (unsigned)id);
+ circuit_set_n_circid_chan(circ, id, circ->n_chan);
cell.circ_id = circ->n_circ_id;
append_cell_to_circuit_queue(circ, circ->n_chan, &cell,
@@ -695,6 +696,9 @@ circuit_deliver_create_cell(circuit_t *circ, const create_cell_t *create_cell,
}
return 0;
+ error:
+ circ->n_chan = NULL;
+ return -1;
}
/** We've decided to start our reachability testing. If all