circpad_setup_machine_on_circ(): exit early on error.

This function does a nonfatal assertion to make sure that a machine
is not registered twice, but Tobias Pulls found a case where it
happens.  Instead, make the function exit early so that it doesn't
cause a remotely triggered memory leak.

Fixes bug 33619; bugfix on 0.4.0.1-alpha.  This is also tracked as
TROVE-2020-004.

diff --git a/changes/ticket33619 b/changes/ticket33619
new file mode 100644 (file)
index 0000000..3c52858
--- /dev/null
+++ b/changes/ticket33619
@@ -0,0 +1,5 @@
+  o Major bugfixes (circuit padding, memory leaks):
+    - Avoid a remotely triggered memory leak in the case that a circuit
+      padding machine is somehow negotiated twice on the same circuit. Fixes
+      bug 33619; bugfix on 0.4.0.1-alpha.  Found by Tobias Pulls.  This is
+      also tracked as TROVE-2020-004.

diff --git a/src/core/or/circuitpadding.c b/src/core/or/circuitpadding.c
index a62cdcf9e6a71a08ef95529096b6888fe06d01b6..72b770113c7297f9dfca78c702d00f8e4d780e98 100644 (file)
--- a/src/core/or/circuitpadding.c
+++ b/src/core/or/circuitpadding.c
@@ -2381,9 +2381,12 @@ circpad_setup_machine_on_circ(circuit_t *on_circ,
     return;
   }
 
-  tor_assert_nonfatal(on_circ->padding_machine[machine->machine_index]
-                      == NULL);
-  tor_assert_nonfatal(on_circ->padding_info[machine->machine_index] == NULL);
+  IF_BUG_ONCE(on_circ->padding_machine[machine->machine_index] != NULL) {
+    return;
+  }
+  IF_BUG_ONCE(on_circ->padding_info[machine->machine_index] != NULL) {
+    return;
+  }
 
   /* Log message */
   if (CIRCUIT_IS_ORIGIN(on_circ)) {