summaryrefslogtreecommitdiff
path: root/src/or
diff options
context:
space:
mode:
authorNick Mathewson <nickm@torproject.org>2016-12-08 10:22:23 -0500
committerNick Mathewson <nickm@torproject.org>2016-12-16 11:06:22 -0500
commitfc7751a989681fbf0f94387c070cced261a83c9c (patch)
tree2a78c614daccae09e4c6d33df358cf2ba07f6799 /src/or
parent2e2f3a4d99885c0d348024dc85ed6ef064a62ace (diff)
downloadtor-fc7751a989681fbf0f94387c070cced261a83c9c.tar.gz
tor-fc7751a989681fbf0f94387c070cced261a83c9c.zip
Rewrite state transition logic in entry_guards_note_success()
asn found while testing that this function can be reached with GUARD_STATE_COMPLETE circuits; I believe this happens when cannibalization occurs. The added complexity of handling one more state made it reasonable to turn the main logic here into a switch statement.
Diffstat (limited to 'src/or')
-rw-r--r--src/or/entrynodes.c40
1 files changed, 23 insertions, 17 deletions
diff --git a/src/or/entrynodes.c b/src/or/entrynodes.c
index 3249ce2947..cf85dad309 100644
--- a/src/or/entrynodes.c
+++ b/src/or/entrynodes.c
@@ -1927,25 +1927,31 @@ entry_guards_note_guard_success(guard_selection_t *gs,
}
unsigned new_state;
- if (old_state == GUARD_CIRC_STATE_USABLE_ON_COMPLETION) {
- new_state = GUARD_CIRC_STATE_COMPLETE;
- } else {
- tor_assert_nonfatal(
- old_state == GUARD_CIRC_STATE_USABLE_IF_NO_BETTER_GUARD);
-
- if (guard->is_primary) {
- /* XXXX prop271 -- I don't actually like this logic. It seems to make us
- * a little more susceptible to evil-ISP attacks. The mitigations I'm
- * thinking of, however, aren't local to this point, so I'll leave it
- * alone. */
- /* This guard may have become primary by virtue of being confirmed.
- If so, the circuit for it is now complete.
- */
+ switch (old_state) {
+ case GUARD_CIRC_STATE_COMPLETE:
+ case GUARD_CIRC_STATE_USABLE_ON_COMPLETION:
new_state = GUARD_CIRC_STATE_COMPLETE;
- } else {
- new_state = GUARD_CIRC_STATE_WAITING_FOR_BETTER_GUARD;
- }
+ break;
+ default:
+ tor_assert_nonfatal_unreached();
+ /* Fall through. */
+ case GUARD_CIRC_STATE_USABLE_IF_NO_BETTER_GUARD:
+ if (guard->is_primary) {
+ /* XXXX prop271 -- I don't actually like this logic. It seems to make
+ * us a little more susceptible to evil-ISP attacks. The mitigations
+ * I'm thinking of, however, aren't local to this point, so I'll leave
+ * it alone. */
+ /* This guard may have become primary by virtue of being confirmed.
+ * If so, the circuit for it is now complete.
+ */
+ new_state = GUARD_CIRC_STATE_COMPLETE;
+ } else {
+ new_state = GUARD_CIRC_STATE_WAITING_FOR_BETTER_GUARD;
+ }
+ break;
+ }
+ if (! guard->is_primary) {
if (last_time_on_internet + get_internet_likely_down_interval()
< approx_time()) {
mark_primary_guards_maybe_reachable(gs);