6 files changed, 22 insertions, 13 deletions
diff --git a/src/common/crypto.c b/src/common/crypto.c
index dd85d1471..e37b28275 100644
--- a/src/common/crypto.c
+++ b/src/common/crypto.c
@@ -1051,10 +1051,9 @@ crypto_pk_public_hybrid_encrypt(crypto_pk_t *env,
   tor_assert(outlen+symlen < INT_MAX);
   return (int)(outlen + symlen);
  err:
-  if (buf) {
-    memset(buf, 0, pkeylen);
-    tor_free(buf);
-  }
+
+  memset(buf, 0, pkeylen);
+  tor_free(buf);
   crypto_cipher_free(cipher);
   return -1;
 }
diff --git a/src/config/torrc.bridge.in b/src/config/torrc.bridge.in
index 927c7bbba..b7b7e050b 100644
--- a/src/config/torrc.bridge.in
+++ b/src/config/torrc.bridge.in
@@ -96,6 +96,8 @@ Nickname Unnamed
 ## Define these to limit how much relayed traffic you will allow. Your
 ## own traffic is still unthrottled. Note that RelayBandwidthRate must
 ## be at least 20 KB.
+## Note that units for these config options are bytes per second, not bits
+## per second, and that prefixes are binary prefixes, i.e. 2^10, 2^20, etc.
 #RelayBandwidthRate 100 KB  # Throttle traffic to 100KB/s (800Kbps)
 #RelayBandwidthBurst 200 KB # But allow bursts up to 200KB/s (1600Kbps)
 RelayBandwidthBurst 10485760
diff --git a/src/config/torrc.sample.in b/src/config/torrc.sample.in
index 17e3f0b2a..258c12546 100644
--- a/src/config/torrc.sample.in
+++ b/src/config/torrc.sample.in
@@ -102,6 +102,8 @@ SocksListenAddress 127.0.0.1 # accept connections only from localhost
 ## Define these to limit how much relayed traffic you will allow. Your
 ## own traffic is still unthrottled. Note that RelayBandwidthRate must
 ## be at least 20 KB.
+## Note that units for these config options are bytes per second, not bits
+## per second, and that prefixes are binary prefixes, i.e. 2^10, 2^20, etc.
 #RelayBandwidthRate 100 KB  # Throttle traffic to 100KB/s (800Kbps)
 #RelayBandwidthBurst 200 KB # But allow bursts up to 200KB/s (1600Kbps)
 
diff --git a/src/or/directory.c b/src/or/directory.c
index fbde7859e..6394aece7 100644
--- a/src/or/directory.c
+++ b/src/or/directory.c
@@ -354,6 +354,7 @@ directory_get_from_dirserver(uint8_t dir_purpose, uint8_t router_purpose,
   const routerstatus_t *rs = NULL;
   const or_options_t *options = get_options();
   int prefer_authority = directory_fetches_from_authorities(options);
+  int require_authority = 0;
   int get_via_tor = purpose_needs_anonymity(dir_purpose, router_purpose);
   dirinfo_type_t type;
   time_t if_modified_since = 0;
@@ -369,6 +370,7 @@ directory_get_from_dirserver(uint8_t dir_purpose, uint8_t router_purpose,
     case DIR_PURPOSE_FETCH_V2_NETWORKSTATUS:
       type = V2_DIRINFO;
       prefer_authority = 1; /* Only v2 authorities have these anyway. */
+      require_authority = 1; /* Don't fallback to asking a non-authority */
       break;
     case DIR_PURPOSE_FETCH_SERVERDESC:
       type = (router_purpose == ROUTER_PURPOSE_BRIDGE ? BRIDGE_DIRINFO :
@@ -469,6 +471,11 @@ directory_get_from_dirserver(uint8_t dir_purpose, uint8_t router_purpose,
             return;
           }
         }
+        if (rs == NULL && require_authority) {
+          log_info(LD_DIR, "No authorities were available for %s: will try "
+                   "later.", dir_conn_purpose_to_string(dir_purpose));
+          return;
+        }
       }
       if (!rs && type != BRIDGE_DIRINFO) {
         /* anybody with a non-zero dirport will do */
diff --git a/src/or/rendservice.c b/src/or/rendservice.c
index 30b0d88af..44e669701 100644
--- a/src/or/rendservice.c
+++ b/src/or/rendservice.c
@@ -1064,6 +1064,13 @@ rend_service_introduce(origin_circuit_t *circuit, const uint8_t *request,
   time_t *access_time;
   const or_options_t *options = get_options();
 
+  if (circuit->_base.purpose != CIRCUIT_PURPOSE_S_INTRO) {
+    log_warn(LD_PROTOCOL,
+             "Got an INTRODUCE2 over a non-introduction circuit %d.",
+             circuit->_base.n_circ_id);
+    return -1;
+  }
+
 #ifndef NON_ANONYMOUS_MODE_ENABLED
   tor_assert(!(circuit->build_state->onehop_tunnel));
 #endif
@@ -1074,13 +1081,6 @@ rend_service_introduce(origin_circuit_t *circuit, const uint8_t *request,
   log_info(LD_REND, "Received INTRODUCE2 cell for service %s on circ %d.",
            escaped(serviceid), circuit->_base.n_circ_id);
 
-  if (circuit->_base.purpose != CIRCUIT_PURPOSE_S_INTRO) {
-    log_warn(LD_PROTOCOL,
-             "Got an INTRODUCE2 over a non-introduction circuit %d.",
-             circuit->_base.n_circ_id);
-    return -1;
-  }
-
   /* min key length plus digest length plus nickname length */
   if (request_len < DIGEST_LEN+REND_COOKIE_LEN+(MAX_NICKNAME_LEN+1)+
       DH_KEY_LEN+42) {
diff --git a/src/or/routerparse.c b/src/or/routerparse.c
index 33c68d74b..99b4eb073 100644
--- a/src/or/routerparse.c
+++ b/src/or/routerparse.c
@@ -5107,7 +5107,6 @@ rend_parse_client_keys(strmap_t *parsed_clients, const char *ckstr)
   while (!strcmpstart(current_entry, "client-name ")) {
     rend_authorized_client_t *parsed_entry;
     size_t len;
-    char descriptor_cookie_base64[REND_DESC_COOKIE_LEN_BASE64+2+1];
     char descriptor_cookie_tmp[REND_DESC_COOKIE_LEN+2];
     /* Determine end of string. */
     const char *eos = strstr(current_entry, "\nclient-name ");
@@ -5176,7 +5175,7 @@ rend_parse_client_keys(strmap_t *parsed_clients, const char *ckstr)
                        tok->args[0], REND_DESC_COOKIE_LEN_BASE64+2+1)
            != REND_DESC_COOKIE_LEN)) {
       log_warn(LD_REND, "Descriptor cookie contains illegal characters: "
-                        "%s", descriptor_cookie_base64);
+               "%s", escaped(tok->args[0]));
       goto err;
     }
     memcpy(parsed_entry->descriptor_cookie, descriptor_cookie_tmp,