diff options
author | Nick Mathewson <nickm@torproject.org> | 2014-08-12 12:10:57 -0400 |
---|---|---|
committer | Nick Mathewson <nickm@torproject.org> | 2014-08-12 12:12:02 -0400 |
commit | b32a8b024ce3a57f8865ed2937dbc3f3fd5072ee (patch) | |
tree | 750f61e48cdebff3992743e190377dca036b23c5 | |
parent | 691371b8026d40467662a9c7cf3bd9f788ea6df5 (diff) | |
download | tor-b32a8b024ce3a57f8865ed2937dbc3f3fd5072ee.tar.gz tor-b32a8b024ce3a57f8865ed2937dbc3f3fd5072ee.zip |
Don't send DESTROY to circID 0 when circuit_deliver_create_cell fails
Cypherpunks found this and wrote this patch.
Fix for 12848; fix on (I think) d58d4c0d, which went into 0.0.8pre1
-rw-r--r-- | changes/bug12848 | 4 | ||||
-rw-r--r-- | src/or/circuitbuild.c | 11 |
2 files changed, 11 insertions, 4 deletions
diff --git a/changes/bug12848 b/changes/bug12848 new file mode 100644 index 0000000000..7aa79c395e --- /dev/null +++ b/changes/bug12848 @@ -0,0 +1,4 @@ + o Major bugfixes (relay): + - Avoid queuing or sending destroy cells for circuit ID zero when + we fail to send a CREATE cell. Fixes bug 12848; bugfix on + 0.0.8pre1. Found and fixed by "cypherpunks". diff --git a/src/or/circuitbuild.c b/src/or/circuitbuild.c index 4603de071f..11f8250934 100644 --- a/src/or/circuitbuild.c +++ b/src/or/circuitbuild.c @@ -584,18 +584,18 @@ circuit_deliver_create_cell(circuit_t *circ, const create_cell_t *create_cell, id = get_unique_circ_id_by_chan(circ->n_chan); if (!id) { log_warn(LD_CIRC,"failed to get unique circID."); - return -1; + goto error; } - log_debug(LD_CIRC,"Chosen circID %u.", (unsigned)id); - circuit_set_n_circid_chan(circ, id, circ->n_chan); memset(&cell, 0, sizeof(cell_t)); r = relayed ? create_cell_format_relayed(&cell, create_cell) : create_cell_format(&cell, create_cell); if (r < 0) { log_warn(LD_CIRC,"Couldn't format create cell"); - return -1; + goto error; } + log_debug(LD_CIRC,"Chosen circID %u.", (unsigned)id); + circuit_set_n_circid_chan(circ, id, circ->n_chan); cell.circ_id = circ->n_circ_id; append_cell_to_circuit_queue(circ, circ->n_chan, &cell, @@ -619,6 +619,9 @@ circuit_deliver_create_cell(circuit_t *circ, const create_cell_t *create_cell, } return 0; + error: + circ->n_chan = NULL; + return -1; } /** We've decided to start our reachability testing. If all |