[tor-bugs] #29786 [Core Tor/Tor]: Path bias circuits can still have cells pending

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Mar 14 16:56:52 UTC 2019


#29786: Path bias circuits can still have cells pending
------------------------------+--------------------
     Reporter:  mikeperry     |      Owner:  (none)
         Type:  defect        |     Status:  new
     Priority:  Medium        |  Milestone:
    Component:  Core Tor/Tor  |    Version:
     Severity:  Normal        |   Keywords:  tor-hs
Actual Points:                |  Parent ID:
       Points:                |   Reviewer:
      Sponsor:                |
------------------------------+--------------------
 In #25773, we realized that half-closed connections need to be checked for
 extra cells when the circuit has been switched to path bias testing. The
 checks were added to the top of circuit_receive_relay_cell(), by calling
 pathbias_check_probe_response() to check if the path bias probe was
 correct, and if not, we call pathbias_count_valid_cells() to check if the
 cell is from a previous half-closed connection.

 In https://github.com/mikeperry-tor/vanguards/issues/37, we learned that
 path bias circuits can still have a pending cell for onion services. In
 particular, there can be outstanding cells for
 RELAY_COMMAND_INTRO_ESTABLISHED, RELAY_COMMAND_RENDEZVOUS_ESTABLISHED, and
 RELAY_COMMAND_INTRODUCE_ACK, depending on circuit type.

 There's sloppy ways to fix this, which are easy (just hack
 pathbias_count_valid_cells() to allow 1 cell for those circuit types) and
 precise ways (actually track if the pending cell has been received or not
 before and after path bias transition).

 We should probably fix this the precise way, and just implement the hacky
 workaround in vanguards for now.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/29786>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list