]> git.ipfire.org Git - thirdparty/tor.git/commitdiff
projects / thirdparty / tor.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 8d9602c)
Fix ancient code that only checked circ_id, not circ_id and chan
authorNick Mathewson <nickm@torproject.org>
Tue, 3 Jun 2014 22:19:08 +0000 (18:19 -0400)
committerNick Mathewson <nickm@torproject.org>
Tue, 3 Jun 2014 22:19:08 +0000 (18:19 -0400)
This code mis-handled the case where a circuit got the same circuit
ID in both directions.  I found three instances of it in the
codebase, by grepping for [pn]_circ_id.

Because of the issue in command_process_relay_cell(), this would
have made roughly one circuit in a million completely nonfunctional.

Fixes bug 12195.

changes/bug12195 [new file with mode: 0644] patch | blob
src/or/command.c patch | blob | blame | history

diff --git a/changes/bug12195 b/changes/bug12195
new file mode 100644 (file)
index 0000000..f798129
--- /dev/null
+++ b/changes/bug12195
@@ -0,0 +1,7 @@
+  o Major bugfixes:
+    - When a circuit accidentally has the same circuit ID for its
+      forward and reverse direction, correctly detect the direction of
+      cells using that circuit. Previously, this would have made
+      roughly one circuit in a million non-functional. Fixes bug
+      12195; this is a bugfix on every version of Tor.
+
diff --git a/src/or/command.c b/src/or/command.c
index 699b02fb479fca5aed674465c85ff61501cc823e..f638fad41cde1cd414528044d9eaf03e6f34758c 100644 (file)
--- a/src/or/command.c
+++ b/src/or/command.c
@@ -349,7 +349,7 @@ command_process_created_cell(cell_t *cell, channel_t *chan)
     return;
   }
 
-  if (circ->n_circ_id != cell->circ_id) {
+  if (circ->n_circ_id != cell->circ_id || circ->n_chan != chan) {
     log_fn(LOG_PROTOCOL_WARN,LD_PROTOCOL,
            "got created cell from Tor client? Closing.");
     circuit_mark_for_close(circ, END_CIRC_REASON_TORPROTOCOL);
@@ -434,6 +434,7 @@ command_process_relay_cell(cell_t *cell, channel_t *chan)
   }
 
   if (!CIRCUIT_IS_ORIGIN(circ) &&
+      chan == TO_OR_CIRCUIT(circ)->p_chan &&
       cell->circ_id == TO_OR_CIRCUIT(circ)->p_circ_id)
     direction = CELL_DIRECTION_OUT;
   else
@@ -501,6 +502,7 @@ command_process_destroy_cell(cell_t *cell, channel_t *chan)
   reason = (uint8_t)cell->payload[0];
 
   if (!CIRCUIT_IS_ORIGIN(circ) &&
+      chan == TO_OR_CIRCUIT(circ)->p_chan &&
       cell->circ_id == TO_OR_CIRCUIT(circ)->p_circ_id) {
     /* the destroy came from behind */
     circuit_set_p_circid_chan(TO_OR_CIRCUIT(circ), 0, NULL);
Mirror of https://git.torproject.org/tor.git