From: Nick Mathewson <nickm@torproject.org>
Date: Fri, 18 Apr 2025 00:26:20 +0000 (-0400)
Subject: Fix a bug in conflux_send_switch_command.
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4c1a41f32d935cdc496946b9a3018e0edaabefb1;p=thirdparty%2Ftor.git

Fix a bug in conflux_send_switch_command.

Using RELAY_PAYLOAD_SIZE(_MAX) here would send a relay message that used up
more than the actual length of the cell.  Instead, send only the actual
CONFLUX_SWITCH message.

Closes #41056; bugfix on 0.4.8.1-alpha.
---

diff --git a/changes/bug41056 b/changes/bug41056
new file mode 100644
index 0000000000..2a7dfc48c0
--- /dev/null
+++ b/changes/bug41056
@@ -0,0 +1,4 @@
+  o Minor bugfixes (protocol):
+    - Set the length field correctly on RELAY_COMMAND_CONFLUX_SWITCH
+      messages.  Previously, it was always set to the maximum value.
+      Fixes bug 41056; bugfix on 0.4.8.1-alpha.
diff --git a/src/core/or/conflux_cell.c b/src/core/or/conflux_cell.c
index ae4a6c4a6f..03586e660b 100644
--- a/src/core/or/conflux_cell.c
+++ b/src/core/or/conflux_cell.c
@@ -311,37 +311,34 @@ bool
 conflux_send_switch_command(circuit_t *send_circ, uint64_t relative_seq)
 {
   trn_cell_conflux_switch_t *switch_cell = trn_cell_conflux_switch_new();
-  cell_t cell;
+  uint8_t payload[RELAY_PAYLOAD_SIZE_MAX] = {0};
   bool ret = true;
 
   tor_assert(send_circ);
   tor_assert(relative_seq < UINT32_MAX);
 
-  memset(&cell, 0, sizeof(cell));
-
   trn_cell_conflux_switch_set_seqnum(switch_cell, (uint32_t)relative_seq);
 
-  if (trn_cell_conflux_switch_encode(cell.payload, RELAY_PAYLOAD_SIZE_MAX,
-                                     switch_cell) < 0) {
+  ssize_t len = trn_cell_conflux_switch_encode(
+                                payload, RELAY_PAYLOAD_SIZE_MAX,
+                                switch_cell);
+  if (len < 0) {
     log_warn(LD_BUG, "Failed to encode conflux switch cell");
     ret = false;
     goto end;
   }
 
   /* Send the switch command to the new hop */
-  // TODO CGO XXXXX Fix bug #41056.
   if (CIRCUIT_IS_ORIGIN(send_circ)) {
     relay_send_command_from_edge(0, send_circ,
                                RELAY_COMMAND_CONFLUX_SWITCH,
-                               (const char*)cell.payload,
-                               RELAY_PAYLOAD_SIZE_MAX,
+                               (const char*)payload, len,
                                TO_ORIGIN_CIRCUIT(send_circ)->cpath->prev);
   } else {
     relay_send_command_from_edge(0, send_circ,
                                RELAY_COMMAND_CONFLUX_SWITCH,
-                               (const char*)cell.payload,
-                                 RELAY_PAYLOAD_SIZE_MAX,
-                                 NULL);
+                               (const char*)payload, len,
+                               NULL);
   }
 
 end: