summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDavid Goulet <dgoulet@torproject.org>2023-11-09 09:17:51 -0500
committerDavid Goulet <dgoulet@torproject.org>2023-11-09 09:17:51 -0500
commit12723de00bf8c6b10d01e818e4aec41dffea5474 (patch)
tree5f5128c26c95460b036c6bbf4b964c29806ba2d5
parent525a1cfb70c45055aaf42fc695aa24befc35aec7 (diff)
parentbe751a46e3941d9e6af093a307107db443b2968c (diff)
downloadtor-12723de00bf8c6b10d01e818e4aec41dffea5474.tar.gz
tor-12723de00bf8c6b10d01e818e4aec41dffea5474.zip
Merge branch 'maint-0.4.8'
-rw-r--r--changes/ticket408834
-rw-r--r--src/feature/hs/hs_metrics.c7
-rw-r--r--src/feature/rend/rendcommon.c9
3 files changed, 18 insertions, 2 deletions
diff --git a/changes/ticket40883 b/changes/ticket40883
new file mode 100644
index 0000000000..1186571122
--- /dev/null
+++ b/changes/ticket40883
@@ -0,0 +1,4 @@
+ o Major bugfixes (onion service, TROVE-2023-006):
+ - Fix a possible hard assert on a NULL pointer when recording a failed
+ rendezvous circuit on the service side for the MetricsPort. Fixes bug
+ 40883; bugfix on 0.4.8.1-alpha
diff --git a/src/feature/hs/hs_metrics.c b/src/feature/hs/hs_metrics.c
index 19a330a01e..4ce91c2b32 100644
--- a/src/feature/hs/hs_metrics.c
+++ b/src/feature/hs/hs_metrics.c
@@ -199,7 +199,12 @@ hs_metrics_update_by_ident(const hs_metrics_key_t key,
{
hs_service_t *service;
- tor_assert(ident_pk);
+ if (!ident_pk) {
+ /* We can end up here in case this is used from a failure/closing path for
+ * which we might not have any identity key attacehed to a circuit or
+ * connection yet. Simply don't assume we have one. */
+ return;
+ }
service = hs_service_find(ident_pk);
if (!service) {
diff --git a/src/feature/rend/rendcommon.c b/src/feature/rend/rendcommon.c
index 0628422812..5a9689e7bc 100644
--- a/src/feature/rend/rendcommon.c
+++ b/src/feature/rend/rendcommon.c
@@ -40,7 +40,14 @@ rend_process_relay_cell(circuit_t *circ, const crypt_path_t *layer_hint,
int r = -2;
if (CIRCUIT_IS_ORIGIN(circ)) {
origin_circ = TO_ORIGIN_CIRCUIT(circ);
- if (!layer_hint || layer_hint != origin_circ->cpath->prev) {
+
+ /* Opened onion service circuit receiving cell MUST have an hs_ident as it
+ * is the underlying assumption else we can't process the cell. If this is
+ * the case, we can't recover so close the circuit. */
+ if (BUG(!origin_circ->hs_ident)) {
+ circuit_mark_for_close(circ, END_CIRC_REASON_INTERNAL);
+ origin_circ = NULL;
+ } else if (!layer_hint || layer_hint != origin_circ->cpath->prev) {
log_fn(LOG_PROTOCOL_WARN, LD_APP,
"Relay cell (rend purpose %d) from wrong hop on origin circ",
command);