[tor-bugs] #25312 [Core Tor/Tor]: circ: We can pick an active circuit that is marked for close
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Feb 20 21:14:32 UTC 2018
#25312: circ: We can pick an active circuit that is marked for close
------------------------------+-----------------------------------
Reporter: dgoulet | Owner: dgoulet
Type: defect | Status: assigned
Priority: Medium | Milestone: Tor: 0.3.4.x-final
Component: Core Tor/Tor | Version:
Severity: Normal | Keywords: tor-cmux, tor-circuit
Actual Points: | Parent ID:
Points: | Reviewer:
Sponsor: |
------------------------------+-----------------------------------
The issue lies in when we detach cicuits from the cmux.
The function `circuitmux_get_first_active_circuit()` returns the first
active circuit from the given cmux (attached to the channel).
But, when we mark for close a circuit, we don't detach it from the cmux,
it is only done "before free" so the result is that
`cmux->policy->pick_active_circuit()` can return a marked for close
circuit then a cell is dequeued from it and sent on the wire.
In my experimentation, I only saw END, DROP and TRUNCATED relay commands
being sent on the wire from a marked for close circuit. Thus, I don't
think that is currently such a big problem but still, not that good I
would say.
We should assume that from the time the circuit is marked for close,
nothing should go outbound on it from that point on.
Possible solution would be to detach the circuit from the cmux when marked
for close or make the active circuit function ignore closed circuit.
Not sure at this point about backport.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/25312>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list