aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--changes/bug62717
-rw-r--r--src/or/relay.c7
2 files changed, 13 insertions, 1 deletions
diff --git a/changes/bug6271 b/changes/bug6271
new file mode 100644
index 0000000000..06b129f73f
--- /dev/null
+++ b/changes/bug6271
@@ -0,0 +1,7 @@
+ o Major bugfixes
+
+ - Fix a bug handling SENDME cells on nonexistent streams that
+ could result in bizarre window values. Report and patch
+ contributed pseudymously. Fixes part of bug 6271. This bug
+ was introduced before the first Tor release, in svn commit
+ r152.
diff --git a/src/or/relay.c b/src/or/relay.c
index b637fadf59..50c14556ff 100644
--- a/src/or/relay.c
+++ b/src/or/relay.c
@@ -1220,7 +1220,7 @@ connection_edge_process_relay_cell(cell_t *cell, circuit_t *circ,
"'connected' received, no conn attached anymore. Ignoring.");
return 0;
case RELAY_COMMAND_SENDME:
- if (!conn) {
+ if (!rh.stream_id) {
if (layer_hint) {
layer_hint->package_window += CIRCWINDOW_INCREMENT;
log_debug(LD_APP,"circ-level sendme at origin, packagewindow %d.",
@@ -1235,6 +1235,11 @@ connection_edge_process_relay_cell(cell_t *cell, circuit_t *circ,
}
return 0;
}
+ if (!conn) {
+ log_info(domain,"sendme cell dropped, unknown stream (streamid %d).",
+ rh.stream_id);
+ return 0;
+ }
conn->package_window += STREAMWINDOW_INCREMENT;
log_debug(domain,"stream-level sendme, packagewindow now %d.",
conn->package_window);