diff options
| author | Nick Mathewson <nickm@torproject.org> | 2014-06-03 18:19:08 -0400 |
|---|---|---|
| committer | Nick Mathewson <nickm@torproject.org> | 2014-06-03 18:19:08 -0400 |
| commit | 84ed086d4858ed14de4a4a8bfc3283a73b7c4657 (patch) | |
| tree | 4f5e33ed2f65be0cd2b7b2e2a22714d1eba833cb | |
| parent | 8d9602c21ccc0d93c82c651d94791df88cf4c9ad (diff) | |
| download | tor-84ed086d4858ed14de4a4a8bfc3283a73b7c4657.tar tor-84ed086d4858ed14de4a4a8bfc3283a73b7c4657.tar.gz | |
Fix ancient code that only checked circ_id, not circ_id and chan
This code mis-handled the case where a circuit got the same circuit
ID in both directions. I found three instances of it in the
codebase, by grepping for [pn]_circ_id.
Because of the issue in command_process_relay_cell(), this would
have made roughly one circuit in a million completely nonfunctional.
Fixes bug 12195.
| -rw-r--r-- | changes/bug12195 | 7 | ||||
| -rw-r--r-- | src/or/command.c | 4 |
2 files changed, 10 insertions, 1 deletions
diff --git a/changes/bug12195 b/changes/bug12195 new file mode 100644 index 000000000..f798129e6 --- /dev/null +++ b/changes/bug12195 @@ -0,0 +1,7 @@ + o Major bugfixes: + - When a circuit accidentally has the same circuit ID for its + forward and reverse direction, correctly detect the direction of + cells using that circuit. Previously, this would have made + roughly one circuit in a million non-functional. Fixes bug + 12195; this is a bugfix on every version of Tor. + diff --git a/src/or/command.c b/src/or/command.c index 699b02fb4..f638fad41 100644 --- a/src/or/command.c +++ b/src/or/command.c @@ -349,7 +349,7 @@ command_process_created_cell(cell_t *cell, channel_t *chan) return; } - if (circ->n_circ_id != cell->circ_id) { + if (circ->n_circ_id != cell->circ_id || circ->n_chan != chan) { log_fn(LOG_PROTOCOL_WARN,LD_PROTOCOL, "got created cell from Tor client? Closing."); circuit_mark_for_close(circ, END_CIRC_REASON_TORPROTOCOL); @@ -434,6 +434,7 @@ command_process_relay_cell(cell_t *cell, channel_t *chan) } if (!CIRCUIT_IS_ORIGIN(circ) && + chan == TO_OR_CIRCUIT(circ)->p_chan && cell->circ_id == TO_OR_CIRCUIT(circ)->p_circ_id) direction = CELL_DIRECTION_OUT; else @@ -501,6 +502,7 @@ command_process_destroy_cell(cell_t *cell, channel_t *chan) reason = (uint8_t)cell->payload[0]; if (!CIRCUIT_IS_ORIGIN(circ) && + chan == TO_OR_CIRCUIT(circ)->p_chan && cell->circ_id == TO_OR_CIRCUIT(circ)->p_circ_id) { /* the destroy came from behind */ circuit_set_p_circid_chan(TO_OR_CIRCUIT(circ), 0, NULL); |