[tor-bugs] #12848 [Tor]: Tor wrongly process circuit as connected to n_chan even if create cell delivery not even tried

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Aug 12 10:00:15 UTC 2014


#12848: Tor wrongly process circuit as connected to n_chan even if create cell
delivery not even tried
-------------------------+------------------------------------
 Reporter:  cypherpunks  |          Owner:
     Type:  defect       |         Status:  new
 Priority:  normal       |      Milestone:
Component:  Tor          |        Version:  Tor: 0.2.5.5-alpha
 Keywords:               |  Actual Points:
Parent ID:               |         Points:
-------------------------+------------------------------------
 If `circuit_deliver_create_cell()` failed Tor still assumes circuit was
 attached to n_chan and tries to mess with it later.
 While marking circuit by `circuit_mark_for_close()` it calls:
 {{{
   if (circ->n_chan) {
     circuit_clear_cell_queue(circ, circ->n_chan);
     /* Only send destroy if the channel isn't closing anyway */
     if (!(circ->n_chan->state == CHANNEL_STATE_CLOSING ||
           circ->n_chan->state == CHANNEL_STATE_CLOSED ||
           circ->n_chan->state == CHANNEL_STATE_ERROR)) {
       channel_send_destroy(circ->n_circ_id, circ->n_chan, reason);
     }
     circuitmux_detach_circuit(circ->n_chan->cmux, circ);
     circuit_set_n_circid_chan(circ, 0, NULL);
   }
 }}}
 It is useless, at least, or probably corrupting internal structures.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/12848>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list