[tor-bugs] #8185 [Core Tor/Tor]: circuit_package_relay_cell(): Bug: outgoing relay cell has n_chan==NULL. Dropping.

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri Sep 29 13:22:16 UTC 2017 

#8185: circuit_package_relay_cell(): Bug: outgoing relay cell has n_chan==NULL.
Dropping.
-------------------------------------------------+-------------------------
 Reporter:  mr-4                                 |          Owner:  nickm
     Type:  defect                               |         Status:
                                                 |  accepted
 Priority:  High                                 |      Milestone:  Tor:
                                                 |  0.3.2.x-final
Component:  Core Tor/Tor                         |        Version:  Tor:
                                                 |  0.2.4.9-alpha
 Severity:  Major                                |     Resolution:
 Keywords:  tor-relay logging needs-analysis     |  Actual Points:
  harmless? annoyance                            |
Parent ID:                                       |         Points:  3
 Reviewer:  isis                                 |        Sponsor:
-------------------------------------------------+-------------------------
Changes (by nickm):

 * owner:  (none) => nickm
 * status:  new => accepted


Comment:

 Interesting.  It looks like the callstack here is:
   * circuit_package_relay_cell()
   * relay_send_command_from_edge_()
   * relay_send_command_from_edge()
   * connection_edge_package_raw_inbuf()
   * connection_edge_process_inbuf()

 What else do we know?
   * This is an entry connection attached to an origin circuit.
   * As of connection_edge_process_inbuf(), the connection was in state
 AP_CONN_STATE_OPEN or AP_CONN_STATE_CONNECT_WAIT. (or else we wouldn't
 have called package_raw_inbuf())
   * As of connection_edge_package_raw_inbuf(), the connection was not
 marked for close. (Or else the function would have exited.)
   * By the time we reach the bottom of the callstack, the circuit's n_chan
 was NULL, which shouldn't be possible.

 I think what I'd most like to know at this point is the exact status of
 the circuit -- is it completely corrupted, marked for close, or in-
 progress for a build?

 I'm ''guessing'' that this connection was once attached to a working
 circuit (otherwise the earlier attempt to send the BEGIN cell would have
 failed with the same error) and then the circuit became non-working.

 What if the channel becomes closed, and so channel_closed() we call
 circuit_unlink_all_from_channel()?  That will clear the n_chan field of
 the circuit, and mark the circuit.  But the streams attached to the
 circuit won't get marked for close or have their circuits removed until
 circuit_about_to_free() calls connection_edge_destroy().

 I'm going to go with the theory that the circuit is marked, and add
 logging to catch in case it isn't.  Cooking up a patch now...

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/8185#comment:48>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list