diff options
| -rw-r--r-- | changes/bug6271-related | 6 | ||||
| -rw-r--r-- | src/or/relay.c | 2 |
2 files changed, 7 insertions, 1 deletions
diff --git a/changes/bug6271-related b/changes/bug6271-related new file mode 100644 index 0000000000..78e53c8887 --- /dev/null +++ b/changes/bug6271-related @@ -0,0 +1,6 @@ + o Minor bugfixes (spec conformance): + - Reject EXTEND cells sent to nonexistent streams. According to the + spec, an EXTEND cell sent to _any_ nonzero stream ID is invalid, but + we were only checking for stream IDs that were currenty in use. + Found while hunting for more instances of bug 6271. Bugfix on + 0.0.2pre8, which introduced incremental circuit construction. diff --git a/src/or/relay.c b/src/or/relay.c index 33735dea2a..a866d2d4ea 100644 --- a/src/or/relay.c +++ b/src/or/relay.c @@ -1175,7 +1175,7 @@ connection_edge_process_relay_cell(cell_t *cell, circuit_t *circ, case RELAY_COMMAND_EXTEND: { static uint64_t total_n_extend=0, total_nonearly=0; total_n_extend++; - if (conn) { + if (rh.stream_id) { log_fn(LOG_PROTOCOL_WARN, domain, "'extend' cell received for non-zero stream. Dropping."); return 0; |