[tor-bugs] #13664 [Tor]: Potential issue with rend cache object when intro points falls to 0.

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Nov 5 19:45:53 UTC 2014 

#13664: Potential issue with rend cache object when intro points falls to 0.
-------------------------+---------------------------------
     Reporter:  dgoulet  |      Owner:
         Type:  defect   |     Status:  new
     Priority:  normal   |  Milestone:  Tor: 0.2.6.x-final
    Component:  Tor      |    Version:
   Resolution:           |   Keywords:  tor-hs 025-backport
Actual Points:           |  Parent ID:
       Points:           |
-------------------------+---------------------------------

Comment (by asn):

 Replying to [ticket:13664 dgoulet]:
 > (Reproduced on Tor v0.2.6.1-alpha-dev (git-a142fc29aff4b476))
 >
 > <snip>
 >
 > However, the rend cache is not cleared of the old entry before fetching
 that new descriptor. So once the v2 descriptor is received, we store it in
 the cache using "rend_cache_store_v2_desc_as_client()" that prints this:
 >
 > {{{
 > Nov 04 15:36:09.000 [info] rend_cache_store_v2_desc_as_client(): We
 already have this service descriptor rejxmpqgho5vqdl4. [rendezvous-
 service-descriptor i7hkcux5dghqv6ahstewyccltr6aud2x
 > }}}
 >
 > So since we "have it" in the cache, we call "rend_client_desc_trynow()"
 and it completely fails because all intro points in the cache object are
 gone so this closes all pending connections.
 >

 Hello,

 three questions to better understand the issue:
 a) This behavior only triggers when all the IPs are down or found
 unreachable, right?

 b) How does Tor finally escape this loop in the current codebase? Since no
 IPs are reachable and no new descriptor can be fetched?

 c) IIUC, the `desc` in `if (e && !strcmp(desc, e->desc)) {` is the whole
 descriptor as a string. So if that check succeeds, we already have the
 exact same descriptor? How would it help if we kept that same descriptor,
 since all the IPs listed in there are apparently unreachable? Would it
 just try to reconnect to one of those IPs, in case the connection
 succeeds?

 Three stupid comments on code style:
 a) `NULL byte` is usually referenced as `NUL` in Tor code. AFAIK, that's
 the official ASCII name of `\0`. `NULL` is the C macro.

 b) Function arguments that are supposed to be filled with stuff are
 usually named `something_out` in Tor code. Maybe `rend_cache_build_key`
 should take `key_out`/`key_len_out` instead of `key`/`len`?

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/13664#comment:7>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list