diff options
| author | Nick Mathewson <nickm@torproject.org> | 2016-12-08 10:22:23 -0500 |
|---|---|---|
| committer | Nick Mathewson <nickm@torproject.org> | 2016-12-16 11:06:22 -0500 |
| commit | fc7751a989681fbf0f94387c070cced261a83c9c (patch) | |
| tree | 2a78c614daccae09e4c6d33df358cf2ba07f6799 /src/or/entrynodes.c | |
| parent | 2e2f3a4d99885c0d348024dc85ed6ef064a62ace (diff) | |
| download | tor-fc7751a989681fbf0f94387c070cced261a83c9c.tar.gz tor-fc7751a989681fbf0f94387c070cced261a83c9c.zip | |
Rewrite state transition logic in entry_guards_note_success()
asn found while testing that this function can be reached with
GUARD_STATE_COMPLETE circuits; I believe this happens when
cannibalization occurs.
The added complexity of handling one more state made it reasonable
to turn the main logic here into a switch statement.
Diffstat (limited to 'src/or/entrynodes.c')
| -rw-r--r-- | src/or/entrynodes.c | 40 |
1 files changed, 23 insertions, 17 deletions
diff --git a/src/or/entrynodes.c b/src/or/entrynodes.c index 3249ce2947..cf85dad309 100644 --- a/src/or/entrynodes.c +++ b/src/or/entrynodes.c @@ -1927,25 +1927,31 @@ entry_guards_note_guard_success(guard_selection_t *gs, } unsigned new_state; - if (old_state == GUARD_CIRC_STATE_USABLE_ON_COMPLETION) { - new_state = GUARD_CIRC_STATE_COMPLETE; - } else { - tor_assert_nonfatal( - old_state == GUARD_CIRC_STATE_USABLE_IF_NO_BETTER_GUARD); - - if (guard->is_primary) { - /* XXXX prop271 -- I don't actually like this logic. It seems to make us - * a little more susceptible to evil-ISP attacks. The mitigations I'm - * thinking of, however, aren't local to this point, so I'll leave it - * alone. */ - /* This guard may have become primary by virtue of being confirmed. - If so, the circuit for it is now complete. - */ + switch (old_state) { + case GUARD_CIRC_STATE_COMPLETE: + case GUARD_CIRC_STATE_USABLE_ON_COMPLETION: new_state = GUARD_CIRC_STATE_COMPLETE; - } else { - new_state = GUARD_CIRC_STATE_WAITING_FOR_BETTER_GUARD; - } + break; + default: + tor_assert_nonfatal_unreached(); + /* Fall through. */ + case GUARD_CIRC_STATE_USABLE_IF_NO_BETTER_GUARD: + if (guard->is_primary) { + /* XXXX prop271 -- I don't actually like this logic. It seems to make + * us a little more susceptible to evil-ISP attacks. The mitigations + * I'm thinking of, however, aren't local to this point, so I'll leave + * it alone. */ + /* This guard may have become primary by virtue of being confirmed. + * If so, the circuit for it is now complete. + */ + new_state = GUARD_CIRC_STATE_COMPLETE; + } else { + new_state = GUARD_CIRC_STATE_WAITING_FOR_BETTER_GUARD; + } + break; + } + if (! guard->is_primary) { if (last_time_on_internet + get_internet_likely_down_interval() < approx_time()) { mark_primary_guards_maybe_reachable(gs); |