commit b8a3602b2a7114f2027d4a3af27520b109762efd Merge: bcc96c77d 84adb9fcc Author: Nick Mathewson nickm@torproject.org Date: Thu Dec 21 10:54:05 2017 -0500
Merge branch 'maint-0.3.2'
changes/bug24666 | 7 +++++ src/or/circuitmux.c | 34 ++++++-------------- src/or/circuitmux.h | 2 +- src/or/or.h | 15 +++++++++ src/or/relay.c | 78 ++++++++++++++++++++++++++++++++++++++++++++-- src/or/relay.h | 8 +++++ src/test/test_circuitmux.c | 12 +++---- 7 files changed, 122 insertions(+), 34 deletions(-)
diff --cc src/or/relay.c index f6528c6ea,66e10567c..8ef66f03c --- a/src/or/relay.c +++ b/src/or/relay.c @@@ -2743,16 -2810,18 +2810,23 @@@ channel_flush_from_first_active_circuit while (n_flushed < max) { circ = circuitmux_get_first_active_circuit(cmux, &destroy_queue); if (destroy_queue) { + destroy_cell_t *dcell; /* this code is duplicated from some of the logic below. Ugly! XXXX */ + /* If we are given a destroy_queue here, then it is required to be + * nonempty... */ tor_assert(destroy_queue->n > 0); - cell = cell_queue_pop(destroy_queue); + dcell = destroy_cell_queue_pop(destroy_queue); + /* ...and pop() will always yield a cell from a nonempty queue. */ + tor_assert(dcell); + /* frees dcell */ + cell = destroy_cell_to_packed_cell(dcell, chan->wide_circ_ids); - /* frees cell */ - channel_write_packed_cell(chan, cell); + /* Send the DESTROY cell. It is very unlikely that this fails but just + * in case, get rid of the channel. */ + if (channel_write_packed_cell(chan, cell) < 0) { + /* The cell has been freed. */ + channel_mark_for_close(chan); + continue; + } /* Update the cmux destroy counter */ circuitmux_notify_xmit_destroy(cmux); cell = NULL;