[tor-commits] [tor/master] Prevent an (impossible) null-pointer dereference in connection_edge_process_relay_cell

nickm at torproject.org nickm at torproject.org
Thu May 31 16:45:24 UTC 2012


commit edf0d5b12c5d51e9f82e9c215d3b0386cf4688db
Author: Nick Mathewson <nickm at torproject.org>
Date:   Sat Mar 31 14:17:41 2012 -0400

    Prevent an (impossible) null-pointer dereference in connection_edge_process_relay_cell
    
    This would happen if the deliver window could become negative
    because of an nonexistent connection.  (Fortunately, _that_ can't
    occur, thanks to circuit_consider_sending_sendme.  Still, if we
    change our windowing logic at all, we won't want this to become
    triggerable.)  Fix for bug 5541.  Bugfix on 4a66865d, back from
    0.0.2pre14.  asn found this.  Nice catch, asn!
---
 changes/bug5541 |    8 ++++++++
 src/or/relay.c  |    8 ++++++--
 2 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/changes/bug5541 b/changes/bug5541
new file mode 100644
index 0000000..3cf0692
--- /dev/null
+++ b/changes/bug5541
@@ -0,0 +1,8 @@
+  o Minor bugfixes:
+    - Prevent a null-pointer dereference when receiving a data cell
+      for a nonexistent stream when the circuit in question has an
+      empty deliver window. We don't believe this is triggerable,
+      since we don't currently allow deliver windows to become empty,
+      but the logic is tricky enough that it's better to make the code
+      robust. Fixes bug 5541; bugfix on 0.0.2pre14.
+
diff --git a/src/or/relay.c b/src/or/relay.c
index b637fad..3c2c81b 100644
--- a/src/or/relay.c
+++ b/src/or/relay.c
@@ -1103,8 +1103,12 @@ connection_edge_process_relay_cell(cell_t *cell, circuit_t *circ,
           (!layer_hint && --circ->deliver_window < 0)) {
         log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
                "(relay data) circ deliver_window below 0. Killing.");
-        connection_edge_end(conn, END_STREAM_REASON_TORPROTOCOL);
-        connection_mark_for_close(TO_CONN(conn));
+        if (conn) {
+          /* XXXX Do we actually need to do this?  Will killing the circuit
+           * not send an END and mark the stream for close as appropriate? */
+          connection_edge_end(conn, END_STREAM_REASON_TORPROTOCOL);
+          connection_mark_for_close(TO_CONN(conn));
+        }
         return -END_CIRC_REASON_TORPROTOCOL;
       }
       log_debug(domain,"circ deliver_window now %d.", layer_hint ?





More information about the tor-commits mailing list