[tor-bugs] #28669 [Core Tor/Tor]: Bug: ../src/feature/hs/hs_client.c:280: retry_all_socks_conn_waiting_for_desc

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri Nov 30 14:34:40 UTC 2018 

#28669: Bug: ../src/feature/hs/hs_client.c:280:
retry_all_socks_conn_waiting_for_desc
--------------------------+------------------------------------
 Reporter:  traumschule   |          Owner:  (none)
     Type:  defect        |         Status:  new
 Priority:  Medium        |      Milestone:  Tor: 0.4.0.x-final
Component:  Core Tor/Tor  |        Version:
 Severity:  Normal        |     Resolution:
 Keywords:  tor-hs        |  Actual Points:
Parent ID:                |         Points:
 Reviewer:                |        Sponsor:
--------------------------+------------------------------------

Comment (by dgoulet):

 I've stated that theory in part in #27410 but now I do think this is a
 code path creating this issue:

 1. Tor gets a descriptor and tries to connect to it but intro points all
 fail so the descriptor ends up unusable that is
 `hs_client_any_intro_points_usable()` returns false.

 2. A SOCKS request is made to the .onion and because the intro points
 aren't usuable, a refetch is triggered, see `connection_ap_handle_onion()`
 which put the connection in `AP_CONN_STATE_RENDDESC_WAIT`

 3. While (2) is happening, computer goes in suspend mode for more than 30
 minutes.

 4. When waking up, the `rend_cache_failure_clean()` callback is triggered
 which makes all the intro point usable all the sudden.

 5. Everything is stalled until we get a live consensus which, when it
 arrives, the HS subsystem is informed with `hs_client_dir_info_changed()`
 that calls `retry_all_socks_conn_waiting_for_desc()` (from the stacktrace
 we have in the ticket).

 6. And boom, for `hs_client_refetch_hsdesc()` to return
 `HS_CLIENT_FETCH_HAVE_DESC`, we need a descriptor in the cache with usable
 intro points. We have that because (4) made the intro points usable and
 the descriptor from (1) is still in the cache. The BUG() is hit because we
 still have that pending SOCKS connection that is waiting for its
 descriptor from (2).

 The solution is that for this particular condition where we do have a
 descriptor in our cache but we have a connection waiting for a descriptor,
 instead of BUG(), we need to mark it as "pending for a circuit" like we do
 in `hs_client_desc_has_arrived()` which will trigger the connection to be
 attached to a circuit and thus the HS dance to start.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/28669#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list