From edf0d5b12c5d51e9f82e9c215d3b0386cf4688db Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Sat, 31 Mar 2012 14:17:41 -0400 Subject: Prevent an (impossible) null-pointer dereference in connection_edge_process_relay_cell This would happen if the deliver window could become negative because of an nonexistent connection. (Fortunately, _that_ can't occur, thanks to circuit_consider_sending_sendme. Still, if we change our windowing logic at all, we won't want this to become triggerable.) Fix for bug 5541. Bugfix on 4a66865d, back from 0.0.2pre14. asn found this. Nice catch, asn! --- src/or/relay.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) (limited to 'src/or') diff --git a/src/or/relay.c b/src/or/relay.c index b637fadf5..3c2c81b82 100644 --- a/src/or/relay.c +++ b/src/or/relay.c @@ -1103,8 +1103,12 @@ connection_edge_process_relay_cell(cell_t *cell, circuit_t *circ, (!layer_hint && --circ->deliver_window < 0)) { log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL, "(relay data) circ deliver_window below 0. Killing."); - connection_edge_end(conn, END_STREAM_REASON_TORPROTOCOL); - connection_mark_for_close(TO_CONN(conn)); + if (conn) { + /* XXXX Do we actually need to do this? Will killing the circuit + * not send an END and mark the stream for close as appropriate? */ + connection_edge_end(conn, END_STREAM_REASON_TORPROTOCOL); + connection_mark_for_close(TO_CONN(conn)); + } return -END_CIRC_REASON_TORPROTOCOL; } log_debug(domain,"circ deliver_window now %d.", layer_hint ? -- cgit v1.2.3