Tags on relay cells can result in certain reason codes.

Close the circuit (it's probably junk anyways), and make sure we don't probe
it/count it as a success.

1 files changed, 17 insertions, 7 deletions

diff --git a/src/or/relay.c b/src/or/relay.c
index fd8f8579a7..b4b77007cd 100644
--- a/src/or/relay.c
+++ b/src/or/relay.c
@@ -694,13 +694,23 @@ connection_ap_process_end_not_open(
   (void) layer_hint; /* unused */
 
   if (rh->length > 0) {
-    /* Path bias: If we get a valid reason code from the exit,
-     * it wasn't due to tagging */
-    // XXX: This relies on recognized+digest being strong enough not
-    // to be spoofable.. Is that a valid assumption?
-    // Or more accurately: is it better than nothing? Can the attack
-    // be done offline?
-    circ->path_state = PATH_STATE_USE_SUCCEEDED;
+    if (reason == END_STREAM_REASON_TORPROTOCOL ||
+        reason == END_STREAM_REASON_INTERNAL ||
+        reason == END_STREAM_REASON_DESTROY) {
+      /* All three of these reasons could mean a failed tag
+       * hit the exit and it shat itself. Do not probe.
+       * Fail the circuit. */
+      circ->path_state = PATH_STATE_USE_FAILED;
+      return -END_CIRC_REASON_TORPROTOCOL;
+    } else {
+      /* Path bias: If we get a valid reason code from the exit,
+       * it wasn't due to tagging */
+      // XXX: This relies on recognized+digest being strong enough not
+      // to be spoofable.. Is that a valid assumption?
+      // Or more accurately: is it better than nothing? Can the attack
+      // be done offline?
+      circ->path_state = PATH_STATE_USE_SUCCEEDED;
+    }
   }
 
   if (rh->length > 0 && edge_reason_is_retriable(reason) &&