[tor-bugs] #25226 [Core Tor/Tor]: Circuit cell queue can fill up memory

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Mar 27 17:30:56 UTC 2018 

#25226: Circuit cell queue can fill up memory
-------------------------------------------------+-------------------------
 Reporter:  dgoulet                              |          Owner:  dgoulet
     Type:  defect                               |         Status:
                                                 |  needs_review
 Priority:  Medium                               |      Milestone:  Tor:
                                                 |  0.3.3.x-final
Component:  Core Tor/Tor                         |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  tor-cell, tor-relay, tor-dos,        |  Actual Points:
  033-must, review-group-34, security,           |
  033-triage-20180320, 033-included-20180320     |
Parent ID:                                       |         Points:
 Reviewer:  arma                                 |        Sponsor:
-------------------------------------------------+-------------------------

Comment (by arma):

 Replying to [comment:1 dgoulet]:
 > This is *not* trivial so I'll try to explain what I can see:
 >
 > In `append_cell_to_circuit_queue()`, there is a check on the cell queue
 for a maximum size which then makes the circuit to stop reading on the
 connection if reached:

 Careful here! You're right, but by "connection" you mean edge connection,
 or stream. Not TLS ("OR") connection.

 > Lets use the example where we are a Guard and we have an `or_circuit_t`
 with the "p_chan" being the client connection and the "n_chan" being the
 connection to the middle node.
 >
 > If we set the block on `n_chan`, we would only stop the read() if the
 circuit is origin because `p_streams` is only set on a tor client.

 Correct. That whole set_streams_blocked_on_circ() business is for
 *streams*, i.e. edge connections. Specifically, origin streams when we're
 a client, or exit streams when we're an exit.

 > Does this means that if we try to deliver a cell forward (n_chan), even
 though we've reached the high limit, we'll still queue it because there is
 never a time where we check if we are blocked on "n_chan" at the relay
 level?

 Yes.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/25226#comment:23>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list