diff options
| author | David Goulet <dgoulet@torproject.org> | 2023-11-09 09:17:51 -0500 |
|---|---|---|
| committer | David Goulet <dgoulet@torproject.org> | 2023-11-09 09:17:51 -0500 |
| commit | 5d2293c5ce9f01e6fc99c34fafafd544912a857f (patch) | |
| tree | fc73ab045dadf7454d24528befc5eeed2889354b | |
| parent | a18f3b8fb6ce0e055e0265b664f2af7f475aeb3e (diff) | |
| parent | be751a46e3941d9e6af093a307107db443b2968c (diff) | |
| download | tor-5d2293c5ce9f01e6fc99c34fafafd544912a857f.tar.gz tor-5d2293c5ce9f01e6fc99c34fafafd544912a857f.zip | |
Merge branch 'maint-0.4.8' into release-0.4.8
| -rw-r--r-- | changes/ticket40883 | 4 | ||||
| -rw-r--r-- | src/feature/hs/hs_metrics.c | 7 | ||||
| -rw-r--r-- | src/feature/rend/rendcommon.c | 9 |
3 files changed, 18 insertions, 2 deletions
diff --git a/changes/ticket40883 b/changes/ticket40883 new file mode 100644 index 0000000000..1186571122 --- /dev/null +++ b/changes/ticket40883 @@ -0,0 +1,4 @@ + o Major bugfixes (onion service, TROVE-2023-006): + - Fix a possible hard assert on a NULL pointer when recording a failed + rendezvous circuit on the service side for the MetricsPort. Fixes bug + 40883; bugfix on 0.4.8.1-alpha diff --git a/src/feature/hs/hs_metrics.c b/src/feature/hs/hs_metrics.c index 19a330a01e..4ce91c2b32 100644 --- a/src/feature/hs/hs_metrics.c +++ b/src/feature/hs/hs_metrics.c @@ -199,7 +199,12 @@ hs_metrics_update_by_ident(const hs_metrics_key_t key, { hs_service_t *service; - tor_assert(ident_pk); + if (!ident_pk) { + /* We can end up here in case this is used from a failure/closing path for + * which we might not have any identity key attacehed to a circuit or + * connection yet. Simply don't assume we have one. */ + return; + } service = hs_service_find(ident_pk); if (!service) { diff --git a/src/feature/rend/rendcommon.c b/src/feature/rend/rendcommon.c index 0628422812..5a9689e7bc 100644 --- a/src/feature/rend/rendcommon.c +++ b/src/feature/rend/rendcommon.c @@ -40,7 +40,14 @@ rend_process_relay_cell(circuit_t *circ, const crypt_path_t *layer_hint, int r = -2; if (CIRCUIT_IS_ORIGIN(circ)) { origin_circ = TO_ORIGIN_CIRCUIT(circ); - if (!layer_hint || layer_hint != origin_circ->cpath->prev) { + + /* Opened onion service circuit receiving cell MUST have an hs_ident as it + * is the underlying assumption else we can't process the cell. If this is + * the case, we can't recover so close the circuit. */ + if (BUG(!origin_circ->hs_ident)) { + circuit_mark_for_close(circ, END_CIRC_REASON_INTERNAL); + origin_circ = NULL; + } else if (!layer_hint || layer_hint != origin_circ->cpath->prev) { log_fn(LOG_PROTOCOL_WARN, LD_APP, "Relay cell (rend purpose %d) from wrong hop on origin circ", command); |