summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDavid Goulet <dgoulet@torproject.org>2023-11-09 09:14:19 -0500
committerDavid Goulet <dgoulet@torproject.org>2023-11-09 09:14:19 -0500
commitbe751a46e3941d9e6af093a307107db443b2968c (patch)
treede29a00963abf8a98a100c3c78ab7da6ba4634cd
parent6df27ae9537dbc67846a5025945636b489674f0d (diff)
parent83aecca561e5c284a7279e1fc5784871abe5304b (diff)
downloadtor-be751a46e3941d9e6af093a307107db443b2968c.tar.gz
tor-be751a46e3941d9e6af093a307107db443b2968c.zip
Merge branch 'ticket40883_048_01' into maint-0.4.8
-rw-r--r--changes/ticket408834
-rw-r--r--src/feature/hs/hs_metrics.c7
-rw-r--r--src/feature/rend/rendcommon.c9
3 files changed, 18 insertions, 2 deletions
diff --git a/changes/ticket40883 b/changes/ticket40883
new file mode 100644
index 0000000000..1186571122
--- /dev/null
+++ b/changes/ticket40883
@@ -0,0 +1,4 @@
+ o Major bugfixes (onion service, TROVE-2023-006):
+ - Fix a possible hard assert on a NULL pointer when recording a failed
+ rendezvous circuit on the service side for the MetricsPort. Fixes bug
+ 40883; bugfix on 0.4.8.1-alpha
diff --git a/src/feature/hs/hs_metrics.c b/src/feature/hs/hs_metrics.c
index 19a330a01e..4ce91c2b32 100644
--- a/src/feature/hs/hs_metrics.c
+++ b/src/feature/hs/hs_metrics.c
@@ -199,7 +199,12 @@ hs_metrics_update_by_ident(const hs_metrics_key_t key,
{
hs_service_t *service;
- tor_assert(ident_pk);
+ if (!ident_pk) {
+ /* We can end up here in case this is used from a failure/closing path for
+ * which we might not have any identity key attacehed to a circuit or
+ * connection yet. Simply don't assume we have one. */
+ return;
+ }
service = hs_service_find(ident_pk);
if (!service) {
diff --git a/src/feature/rend/rendcommon.c b/src/feature/rend/rendcommon.c
index 0628422812..5a9689e7bc 100644
--- a/src/feature/rend/rendcommon.c
+++ b/src/feature/rend/rendcommon.c
@@ -40,7 +40,14 @@ rend_process_relay_cell(circuit_t *circ, const crypt_path_t *layer_hint,
int r = -2;
if (CIRCUIT_IS_ORIGIN(circ)) {
origin_circ = TO_ORIGIN_CIRCUIT(circ);
- if (!layer_hint || layer_hint != origin_circ->cpath->prev) {
+
+ /* Opened onion service circuit receiving cell MUST have an hs_ident as it
+ * is the underlying assumption else we can't process the cell. If this is
+ * the case, we can't recover so close the circuit. */
+ if (BUG(!origin_circ->hs_ident)) {
+ circuit_mark_for_close(circ, END_CIRC_REASON_INTERNAL);
+ origin_circ = NULL;
+ } else if (!layer_hint || layer_hint != origin_circ->cpath->prev) {
log_fn(LOG_PROTOCOL_WARN, LD_APP,
"Relay cell (rend purpose %d) from wrong hop on origin circ",
command);