summaryrefslogtreecommitdiff
path: root/src/or/relay.c
diff options
context:
space:
mode:
authorNick Mathewson <nickm@torproject.org>2012-03-31 14:17:41 -0400
committerNick Mathewson <nickm@torproject.org>2012-05-15 14:45:51 -0400
commitedf0d5b12c5d51e9f82e9c215d3b0386cf4688db (patch)
treeaed7481c43a15503d8728f1f9bbe175c493b0e46 /src/or/relay.c
parent9740f067c4bed47beb63483be4f4636167a04019 (diff)
downloadtor-edf0d5b12c5d51e9f82e9c215d3b0386cf4688db.tar.gz
tor-edf0d5b12c5d51e9f82e9c215d3b0386cf4688db.zip
Prevent an (impossible) null-pointer dereference in connection_edge_process_relay_cell
This would happen if the deliver window could become negative because of an nonexistent connection. (Fortunately, _that_ can't occur, thanks to circuit_consider_sending_sendme. Still, if we change our windowing logic at all, we won't want this to become triggerable.) Fix for bug 5541. Bugfix on 4a66865d, back from 0.0.2pre14. asn found this. Nice catch, asn!
Diffstat (limited to 'src/or/relay.c')
-rw-r--r--src/or/relay.c8
1 files changed, 6 insertions, 2 deletions
diff --git a/src/or/relay.c b/src/or/relay.c
index b637fadf59..3c2c81b82b 100644
--- a/src/or/relay.c
+++ b/src/or/relay.c
@@ -1103,8 +1103,12 @@ connection_edge_process_relay_cell(cell_t *cell, circuit_t *circ,
(!layer_hint && --circ->deliver_window < 0)) {
log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
"(relay data) circ deliver_window below 0. Killing.");
- connection_edge_end(conn, END_STREAM_REASON_TORPROTOCOL);
- connection_mark_for_close(TO_CONN(conn));
+ if (conn) {
+ /* XXXX Do we actually need to do this? Will killing the circuit
+ * not send an END and mark the stream for close as appropriate? */
+ connection_edge_end(conn, END_STREAM_REASON_TORPROTOCOL);
+ connection_mark_for_close(TO_CONN(conn));
+ }
return -END_CIRC_REASON_TORPROTOCOL;
}
log_debug(domain,"circ deliver_window now %d.", layer_hint ?