diff options
author | Nick Mathewson <nickm@torproject.org> | 2014-06-03 18:19:08 -0400 |
---|---|---|
committer | Nick Mathewson <nickm@torproject.org> | 2014-06-03 18:19:08 -0400 |
commit | 84ed086d4858ed14de4a4a8bfc3283a73b7c4657 (patch) | |
tree | 4f5e33ed2f65be0cd2b7b2e2a22714d1eba833cb /src | |
parent | 8d9602c21ccc0d93c82c651d94791df88cf4c9ad (diff) | |
download | tor-84ed086d4858ed14de4a4a8bfc3283a73b7c4657.tar.gz tor-84ed086d4858ed14de4a4a8bfc3283a73b7c4657.zip |
Fix ancient code that only checked circ_id, not circ_id and chan
This code mis-handled the case where a circuit got the same circuit
ID in both directions. I found three instances of it in the
codebase, by grepping for [pn]_circ_id.
Because of the issue in command_process_relay_cell(), this would
have made roughly one circuit in a million completely nonfunctional.
Fixes bug 12195.
Diffstat (limited to 'src')
-rw-r--r-- | src/or/command.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/src/or/command.c b/src/or/command.c index 699b02fb47..f638fad41c 100644 --- a/src/or/command.c +++ b/src/or/command.c @@ -349,7 +349,7 @@ command_process_created_cell(cell_t *cell, channel_t *chan) return; } - if (circ->n_circ_id != cell->circ_id) { + if (circ->n_circ_id != cell->circ_id || circ->n_chan != chan) { log_fn(LOG_PROTOCOL_WARN,LD_PROTOCOL, "got created cell from Tor client? Closing."); circuit_mark_for_close(circ, END_CIRC_REASON_TORPROTOCOL); @@ -434,6 +434,7 @@ command_process_relay_cell(cell_t *cell, channel_t *chan) } if (!CIRCUIT_IS_ORIGIN(circ) && + chan == TO_OR_CIRCUIT(circ)->p_chan && cell->circ_id == TO_OR_CIRCUIT(circ)->p_circ_id) direction = CELL_DIRECTION_OUT; else @@ -501,6 +502,7 @@ command_process_destroy_cell(cell_t *cell, channel_t *chan) reason = (uint8_t)cell->payload[0]; if (!CIRCUIT_IS_ORIGIN(circ) && + chan == TO_OR_CIRCUIT(circ)->p_chan && cell->circ_id == TO_OR_CIRCUIT(circ)->p_circ_id) { /* the destroy came from behind */ circuit_set_p_circid_chan(TO_OR_CIRCUIT(circ), 0, NULL); |