dos: Don't set consensus param if we aren't a public relay

We had this safeguard around dos_init() but not when the consensus changes
which can modify consensus parameters and possibly enable the DoS mitigation
even if tor wasn't a public relay.

Fixes #25223

Signed-off-by: David Goulet <dgoulet@torproject.org>

diff --git a/changes/bug25223 b/changes/bug25223
new file mode 100644 (file)
index 0000000..2a7eb6b
--- /dev/null
+++ b/changes/bug25223
@@ -0,0 +1,3 @@
+  o Minor bugfixes (DoS mitigation):
+    - Make sure we don't modify consensus parameters if we aren't a public
+      relay when a new consensus arrives. Fixes bug 25223.

diff --git a/src/or/dos.c b/src/or/dos.c
index 9e8a7a9abe39d66bae6ad3a50fd7dbbbc3cb4c53..bfa415e7b59bb8728b5154e4e65b780964ed063c 100644 (file)
--- a/src/or/dos.c
+++ b/src/or/dos.c
@@ -738,6 +738,14 @@ dos_close_client_conn(const or_connection_t *or_conn)
 void
 dos_consensus_has_changed(const networkstatus_t *ns)
 {
+  /* There are two ways to configure this subsystem, one at startup through
+   * dos_init() which is called when the options are parsed. And this one
+   * through the consensus. We don't want to enable any DoS mitigation if we
+   * aren't a public relay. */
+  if (!public_server_mode(get_options())) {
+    return;
+  }
+
   cc_consensus_has_changed(ns);
   conn_consensus_has_changed(ns);