summaryrefslogtreecommitdiff
path: root/src/feature/dirauth/dirvote.c
diff options
context:
space:
mode:
authorRoger Dingledine <arma@torproject.org>2020-01-29 07:31:19 -0500
committerteor <teor@torproject.org>2020-02-18 12:44:41 +1000
commitacb5b0d535dae67b6a85780b4ae54bcf415e79fc (patch)
tree052025c0802a26bc5d059d32accc29f86fa44d63 /src/feature/dirauth/dirvote.c
parentf231827946764c664fbfe7c8ddef2b88d7b6f105 (diff)
downloadtor-acb5b0d535dae67b6a85780b4ae54bcf415e79fc.tar.gz
tor-acb5b0d535dae67b6a85780b4ae54bcf415e79fc.zip
Don't accept posted votes after :52:30
If we receive via 'post' a vote from a dir auth after the fetch_missing_votes cutoff, that means we didn't get it by the time we begin the "fetching missing votes from everybody else" phase, which means it is very likely to cause a consensus split if we count it. Instead, we reject it. But we still allow votes that we fetch ourselves after that cutoff. This is a demo branch for making progress on #4631. I've been running it on moria1 and it catches and handles real buggy behavior from directory authorities, e.g. Jan 28 15:59:50.804 [warn] Rejecting vote from 199.58.81.140 received at 2020-01-28 20:59:50; our cutoff for received votes is 2020-01-28 20:52:30 Jan 28 15:59:50.805 [warn] Rejected vote from 199.58.81.140 ("Vote received too late, would be dangerous to count it"). Jan 29 01:52:52.667 [warn] Rejecting vote from 204.13.164.118 received at 2020-01-29 06:52:52; our cutoff for received votes is 2020-01-29 06:52:30 Jan 29 01:52:52.669 [warn] Rejected vote from 204.13.164.118 ("Vote received too late, would be dangerous to count it"). Jan 29 04:53:26.323 [warn] Rejecting vote from 204.13.164.118 received at 2020-01-29 09:53:26; our cutoff for received votes is 2020-01-29 09:52:30 Jan 29 04:53:26.326 [warn] Rejected vote from 204.13.164.118 ("Vote received too late, would be dangerous to count it").
Diffstat (limited to 'src/feature/dirauth/dirvote.c')
-rw-r--r--src/feature/dirauth/dirvote.c24
1 files changed, 22 insertions, 2 deletions
diff --git a/src/feature/dirauth/dirvote.c b/src/feature/dirauth/dirvote.c
index 4e0e19dc91..a87e78d29f 100644
--- a/src/feature/dirauth/dirvote.c
+++ b/src/feature/dirauth/dirvote.c
@@ -2963,7 +2963,7 @@ dirvote_perform_vote(void)
if (!contents)
return -1;
- pending_vote = dirvote_add_vote(contents, &msg, &status);
+ pending_vote = dirvote_add_vote(contents, 0, &msg, &status);
tor_free(contents);
if (!pending_vote) {
log_warn(LD_DIR, "Couldn't store my own vote! (I told myself, '%s'.)",
@@ -3125,7 +3125,8 @@ list_v3_auth_ids(void)
* *<b>status_out</b> to an HTTP response and status code. (V3 authority
* only) */
pending_vote_t *
-dirvote_add_vote(const char *vote_body, const char **msg_out, int *status_out)
+dirvote_add_vote(const char *vote_body, time_t time_posted,
+ const char **msg_out, int *status_out)
{
networkstatus_t *vote;
networkstatus_voter_info_t *vi;
@@ -3200,6 +3201,25 @@ dirvote_add_vote(const char *vote_body, const char **msg_out, int *status_out)
goto err;
}
+ if (!time_posted) { /* I imported this one myself */
+ log_notice(LD_DIR, "Retrieved vote from %s.", vi->address);
+ }
+
+ /* Check if we received it, as a post, after the cutoff when we
+ * start asking other dir auths for it. If we do, the best plan
+ * is to discard it, because using it greatly increases the chances
+ * of a split vote for this round (some dir auths got it in time,
+ * some didn't). */
+ if (time_posted && time_posted > voting_schedule.fetch_missing_votes) {
+ char tbuf1[ISO_TIME_LEN+1], tbuf2[ISO_TIME_LEN+1];
+ format_iso_time(tbuf1, time_posted);
+ format_iso_time(tbuf2, voting_schedule.fetch_missing_votes);
+ log_warn(LD_DIR, "Rejecting vote from %s received at %s; "
+ "our cutoff for received votes is %s", vi->address, tbuf1, tbuf2);
+ *msg_out = "Vote received too late, would be dangerous to count it";
+ goto err;
+ }
+
/* Fetch any new router descriptors we just learned about */
update_consensus_router_descriptor_downloads(time(NULL), 1, vote);