1 files changed, 18 insertions, 0 deletions

diff --git a/src/or/dos.c b/src/or/dos.c
index 9e8a7a9abe..4d1797eece 100644
--- a/src/or/dos.c
+++ b/src/or/dos.c
@@ -309,6 +309,16 @@ cc_stats_refill_bucket(cc_client_stats_t *stats, const tor_addr_t *addr)
     new_circuit_bucket_count = MIN(stats->circuit_bucket + (uint32_t)num_token,
                                    dos_cc_circuit_burst);
   }
+
+  /* This function is not allowed to make the bucket count larger than the
+   * burst value */
+  tor_assert_nonfatal(new_circuit_bucket_count <= dos_cc_circuit_burst);
+  /* This function is not allowed to make the bucket count smaller, unless it
+   * is decreasing it to a newly configured, lower burst value. We allow the
+   * bucket to stay the same size, in case the circuit rate is zero. */
+  tor_assert_nonfatal(new_circuit_bucket_count >= stats->circuit_bucket ||
+                      new_circuit_bucket_count == dos_cc_circuit_burst);
+
   log_debug(LD_DOS, "DoS address %s has its circuit bucket value: %" PRIu32
                     ". Filling it to %" PRIu32 ". Circuit rate is %" PRIu64
                     ". Elapsed time is %" PRIi64,
@@ -738,6 +748,14 @@ dos_close_client_conn(const or_connection_t *or_conn)
 void
 dos_consensus_has_changed(const networkstatus_t *ns)
 {
+  /* There are two ways to configure this subsystem, one at startup through
+   * dos_init() which is called when the options are parsed. And this one
+   * through the consensus. We don't want to enable any DoS mitigation if we
+   * aren't a public relay. */
+  if (!public_server_mode(get_options())) {
+    return;
+  }
+
   cc_consensus_has_changed(ns);
   conn_consensus_has_changed(ns);