commit cdd882ee71fb2966854fe271d9896b7bf389b35c Author: Nick Mathewson nickm@torproject.org Date: Wed Aug 15 13:16:41 2012 -0400
Check for stream_id, not conn, on extend cells.
Extend cells aren't allowed to have a stream_id, but we were only blocking them when they had a stream_id that corresponded to a connection. As far as I can tell, this change is harmless: it will make some kinds of broken clients not work any more, but afaik nobody actually make a client that was broken in that way.
Found while hunting for other places where we made the same mistake as in 6271.
Bugfix on d7f50337c14c back from May 2003, which introduced telescoping circuit construction into 0.0.2pre8. --- changes/bug6271-related | 6 ++++++ src/or/relay.c | 2 +- 2 files changed, 7 insertions(+), 1 deletions(-)
diff --git a/changes/bug6271-related b/changes/bug6271-related new file mode 100644 index 0000000..78e53c8 --- /dev/null +++ b/changes/bug6271-related @@ -0,0 +1,6 @@ + o Minor bugfixes (spec conformance): + - Reject EXTEND cells sent to nonexistent streams. According to the + spec, an EXTEND cell sent to _any_ nonzero stream ID is invalid, but + we were only checking for stream IDs that were currenty in use. + Found while hunting for more instances of bug 6271. Bugfix on + 0.0.2pre8, which introduced incremental circuit construction. diff --git a/src/or/relay.c b/src/or/relay.c index 33735de..a866d2d 100644 --- a/src/or/relay.c +++ b/src/or/relay.c @@ -1175,7 +1175,7 @@ connection_edge_process_relay_cell(cell_t *cell, circuit_t *circ, case RELAY_COMMAND_EXTEND: { static uint64_t total_n_extend=0, total_nonearly=0; total_n_extend++; - if (conn) { + if (rh.stream_id) { log_fn(LOG_PROTOCOL_WARN, domain, "'extend' cell received for non-zero stream. Dropping."); return 0;