1 files changed, 13 insertions, 7 deletions

diff --git a/src/or/relay.c b/src/or/relay.c
index 5c430a6d7..66d1251eb 100644
--- a/src/or/relay.c
+++ b/src/or/relay.c
@@ -111,14 +111,14 @@ relay_set_digest(crypto_digest_t *digest, cell_t *cell)
 static int
 relay_digest_matches(crypto_digest_t *digest, cell_t *cell)
 {
-  char received_integrity[4], calculated_integrity[4];
+  uint32_t received_integrity, calculated_integrity;
   relay_header_t rh;
   crypto_digest_t *backup_digest=NULL;
 
   backup_digest = crypto_digest_dup(digest);
 
   relay_header_unpack(&rh, cell->payload);
-  memcpy(received_integrity, rh.integrity, 4);
+  memcpy(&received_integrity, rh.integrity, 4);
   memset(rh.integrity, 0, 4);
   relay_header_pack(cell->payload, &rh);
 
@@ -127,15 +127,15 @@ relay_digest_matches(crypto_digest_t *digest, cell_t *cell)
 //    received_integrity[2], received_integrity[3]);
 
   crypto_digest_add_bytes(digest, (char*) cell->payload, CELL_PAYLOAD_SIZE);
-  crypto_digest_get_digest(digest, calculated_integrity, 4);
+  crypto_digest_get_digest(digest, (char*) &calculated_integrity, 4);
 
-  if (tor_memneq(received_integrity, calculated_integrity, 4)) {
+  if (calculated_integrity != received_integrity) {
 //    log_fn(LOG_INFO,"Recognized=0 but bad digest. Not recognizing.");
 // (%d vs %d).", received_integrity, calculated_integrity);
     /* restore digest to its old form */
     crypto_digest_assign(digest, backup_digest);
     /* restore the relay header */
-    memcpy(rh.integrity, received_integrity, 4);
+    memcpy(rh.integrity, &received_integrity, 4);
     relay_header_pack(cell->payload, &rh);
     crypto_digest_free(backup_digest);
     return 0;
@@ -1437,7 +1437,6 @@ connection_edge_process_relay_cell(cell_t *cell, circuit_t *circ,
     switch (rh.command) {
       case RELAY_COMMAND_BEGIN:
       case RELAY_COMMAND_CONNECTED:
-      case RELAY_COMMAND_DATA:
       case RELAY_COMMAND_END:
       case RELAY_COMMAND_RESOLVE:
       case RELAY_COMMAND_RESOLVED:
@@ -1462,6 +1461,9 @@ connection_edge_process_relay_cell(cell_t *cell, circuit_t *circ,
        * EXIT_CONN_STATE_CONNECTING or EXIT_CONN_STATE_RESOLVING.
        * This speeds up HTTP, for example. */
       optimistic_data = 1;
+    } else if (rh.stream_id == 0 && rh.command == RELAY_COMMAND_DATA) {
+      log_warn(LD_BUG, "Somehow I had a connection that matched a "
+               "data cell with stream ID 0.");
     } else {
       return connection_edge_process_relay_cell_not_open(
                &rh, cell, circ, conn, layer_hint);
@@ -1522,7 +1524,11 @@ connection_edge_process_relay_cell(cell_t *cell, circuit_t *circ,
 
       circuit_consider_sending_sendme(circ, layer_hint);
 
-      if (!conn) {
+      if (rh.stream_id == 0) {
+        log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL, "Relay data cell with zero "
+               "stream_id. Dropping.");
+        return 0;
+      } else if (!conn) {
         log_info(domain,"data cell dropped, unknown stream (streamid %d).",
                  rh.stream_id);
         return 0;