summaryrefslogtreecommitdiff
path: root/src/or/relay.c
diff options
context:
space:
mode:
authorDavid Goulet <dgoulet@torproject.org>2017-12-07 15:41:09 -0500
committerNick Mathewson <nickm@torproject.org>2017-12-08 14:43:27 -0500
commit6120efd771928fc958b552b9f5c3e09d949e92fe (patch)
tree1ce64d9813387af6384f35d71224baf3a32252c0 /src/or/relay.c
parent428ee55e5187a57b8bbc171c8b62da08209a7954 (diff)
downloadtor-6120efd771928fc958b552b9f5c3e09d949e92fe.tar.gz
tor-6120efd771928fc958b552b9f5c3e09d949e92fe.zip
chan: Do not re-queue after a fail cell write
Couple things happen in this commit. First, we do not re-queue a cell back in the circuit queue if the write packed cell failed. Currently, it is close to impossible to have it failed but just in case, the channel is mark as closed and we move on. The second thing is that the channel_write_packed_cell() always took ownership of the cell whatever the outcome. This means, on success or failure, it needs to free it. It turns out that that we were using the wrong free function in one case and not freeing it in an other possible code path. So, this commit makes sure we only free it in one place that is at the very end of channel_write_packed_cell() which is the top layer of the channel abstraction. This makes also channel_tls_write_packed_cell_method() return a negative value on error. Two unit tests had to be fixed (quite trivial) due to a double free of the packed cell in the test since now we do free it in all cases correctly. Part of #23709 Signed-off-by: David Goulet <dgoulet@torproject.org>
Diffstat (limited to 'src/or/relay.c')
-rw-r--r--src/or/relay.c24
1 files changed, 8 insertions, 16 deletions
diff --git a/src/or/relay.c b/src/or/relay.c
index f36fc78cda..ac91032844 100644
--- a/src/or/relay.c
+++ b/src/or/relay.c
@@ -2521,17 +2521,6 @@ cell_queue_pop(cell_queue_t *queue)
return cell;
}
-/** Insert <b>cell</b> as the head of the <b>queue</b>. */
-static void
-cell_insert_head(cell_queue_t *queue, packed_cell_t *cell)
-{
- tor_assert(queue);
- tor_assert(cell);
-
- TOR_SIMPLEQ_INSERT_HEAD(&queue->head, cell, next);
- ++queue->n;
-}
-
/** Return the total number of bytes used for each packed_cell in a queue.
* Approximate. */
size_t
@@ -2757,8 +2746,11 @@ channel_flush_from_first_active_circuit, (channel_t *chan, int max))
/* this code is duplicated from some of the logic below. Ugly! XXXX */
tor_assert(destroy_queue->n > 0);
cell = cell_queue_pop(destroy_queue);
+ /* Send the DESTROY cell. It is very unlikely that this fails but just
+ * in case, get rid of the channel. */
if (channel_write_packed_cell(chan, cell) < 0) {
- cell_insert_head(destroy_queue, cell);
+ /* The cell has been freed. */
+ channel_mark_for_close(chan);
continue;
}
/* Update the cmux destroy counter */
@@ -2836,11 +2828,11 @@ channel_flush_from_first_active_circuit, (channel_t *chan, int max))
DIRREQ_TUNNELED,
DIRREQ_CIRC_QUEUE_FLUSHED);
- /* Now send the cell */
+ /* Now send the cell. It is very unlikely that this fails but just in
+ * case, get rid of the channel. */
if (channel_write_packed_cell(chan, cell) < 0) {
- /* Unable to send the cell, put it back at the start of the circuit
- * queue so we can retry. */
- cell_insert_head(queue, cell);
+ /* The cell has been freed at this point. */
+ channel_mark_for_close(chan);
continue;
}
cell = NULL;