diff options
| -rw-r--r-- | changes/bug40644 | 8 | ||||
| -rw-r--r-- | src/core/or/congestion_control_common.c | 11 |
2 files changed, 18 insertions, 1 deletions
diff --git a/changes/bug40644 b/changes/bug40644 new file mode 100644 index 0000000000..a27c63ede2 --- /dev/null +++ b/changes/bug40644 @@ -0,0 +1,8 @@ + o Minor bugfixes (congestion control): + - Add a check for an integer underflow condition that might + happen in cases where the system clock is stopped, the + ORconn is blocked, and the endpoint sends more than a + congestion window worth of non-data control cells at once. + This would cause a large congestion window to be calculated + instead of a small one. No security impact. Fixes bug 40644; + bugfix on 0.4.7.5-alpha. diff --git a/src/core/or/congestion_control_common.c b/src/core/or/congestion_control_common.c index 71cd666ee2..42f816690f 100644 --- a/src/core/or/congestion_control_common.c +++ b/src/core/or/congestion_control_common.c @@ -882,10 +882,19 @@ congestion_control_update_circuit_bdp(congestion_control_t *cc, if (!cc->ewma_rtt_usec) { uint64_t cwnd = cc->cwnd; + tor_assert_nonfatal(cc->cwnd <= cwnd_max); + /* If the channel is blocked, keep subtracting off the chan_q * until we hit the min cwnd. */ if (blocked_on_chan) { - cwnd = MAX(cwnd - chan_q, cc->cwnd_min); + /* Cast is fine because we're less than int32 */ + if (chan_q >= (int64_t)cwnd) { + log_notice(LD_CIRC, + "Clock stall with large chanq: %d %"PRIu64, chan_q, cwnd); + cwnd = cc->cwnd_min; + } else { + cwnd = MAX(cwnd - chan_q, cc->cwnd_min); + } cc->blocked_chan = 1; } else { cc->blocked_chan = 0; |