Fix a bug handling SENDME cells on nonexistent streams.

This could result in bizarre window values. Report and patch
contributed pseudymously.  Fixes part of bug 6271. This bug was
introduced before the first Tor release, in svn commit r152.

(bug 6271, part a.)

diff --git a/changes/bug6271 b/changes/bug6271
new file mode 100644 (file)
index 0000000..06b129f
--- /dev/null
+++ b/changes/bug6271
@@ -0,0 +1,7 @@
+   o Major bugfixes
+
+     - Fix a bug handling SENDME cells on nonexistent streams that
+       could result in bizarre window values. Report and patch
+       contributed pseudymously.  Fixes part of bug 6271. This bug
+       was introduced before the first Tor release, in svn commit
+       r152.

diff --git a/src/or/relay.c b/src/or/relay.c
index b637fadf59f8a526619fc9bcfae916bd0846bf42..50c14556ff775f19493c3124b9506ef29230d316 100644 (file)
--- a/src/or/relay.c
+++ b/src/or/relay.c
@@ -1220,7 +1220,7 @@ connection_edge_process_relay_cell(cell_t *cell, circuit_t *circ,
                "'connected' received, no conn attached anymore. Ignoring.");
       return 0;
     case RELAY_COMMAND_SENDME:
-      if (!conn) {
+      if (!rh.stream_id) {
         if (layer_hint) {
           layer_hint->package_window += CIRCWINDOW_INCREMENT;
           log_debug(LD_APP,"circ-level sendme at origin, packagewindow %d.",
@@ -1235,6 +1235,11 @@ connection_edge_process_relay_cell(cell_t *cell, circuit_t *circ,
         }
         return 0;
       }
+      if (!conn) {
+        log_info(domain,"sendme cell dropped, unknown stream (streamid %d).",
+                 rh.stream_id);
+        return 0;
+      }
       conn->package_window += STREAMWINDOW_INCREMENT;
       log_debug(domain,"stream-level sendme, packagewindow now %d.",
                 conn->package_window);