2 files changed, 14 insertions, 3 deletions

diff --git a/changes/ipv6_automap b/changes/ipv6_automap
index 150349c382..1b44585277 100644
--- a/changes/ipv6_automap
+++ b/changes/ipv6_automap
@@ -10,3 +10,10 @@
     - AutomapHostsOnResolve responses are now randomized, to avoid
       annoying situations where Tor is restarted and applications
       connect to the wrong addresses.
+
+    - We never try more than 1000 times to pick a virtual address
+      when AutomapHostsOnResolve is set. That's good enough so long
+      as we aren't close to handing out our entire virtual address
+      space; if you're getting there, it's best to switch to IPv6
+      virtual addresses anyway.
+
diff --git a/src/or/addressmap.c b/src/or/addressmap.c
index e1efbf4bfd..f4c31295a8 100644
--- a/src/or/addressmap.c
+++ b/src/or/addressmap.c
@@ -863,9 +863,13 @@ addressmap_get_virtual_address(int type)
     const virtual_addr_conf_t *conf = ipv6 ?
       &virtaddr_conf_ipv6 : &virtaddr_conf_ipv4;
 
-    // This is an imperfect estimate of how many addresses are available, but
-    // that's ok.  We also don't try every one.
-    uint32_t attempts = ipv6 ? UINT32_MAX : (1u << (32- conf->bits));
+    /* Don't try more than 1000 times.  This gives us P < 1e-9 for
+     * failing to get a good address so long as the address space is
+     * less than ~97.95% full.  That's always going to be true under
+     * sensible circumstances for an IPv6 /10, and it's going to be
+     * true for an IPv4 /10 as long as we've handed out less than
+     * 4.08 million addresses. */
+    uint32_t attempts = 1000;
 
     tor_addr_t addr;