Fix a bug handling SENDME cells on nonexistent streams.

This could result in bizarre window values. Report and patch contributed pseudymously. Fixes part of bug 6271. This bug was introduced before the first Tor release, in svn commit r152. (bug 6271, part a.)
2024-11-27 22:03:31 +01:00 · 2012-07-06 07:29:54 -04:00 · 2012-07-06 07:29:54 -04:00 · 419f541aa7
commit 419f541aa7
parent 229abbf4bb
2 changed files with 13 additions and 1 deletions
--- a/changes/bug6271
+++ b/changes/bug6271
@ -0,0 +1,7 @@
+   o Major bugfixes
+
+     - Fix a bug handling SENDME cells on nonexistent streams that
+       could result in bizarre window values. Report and patch
+       contributed pseudymously.  Fixes part of bug 6271. This bug
+       was introduced before the first Tor release, in svn commit
+       r152.
--- a/src/or/relay.c
+++ b/src/or/relay.c
@ -1220,7 +1220,7 @@ connection_edge_process_relay_cell(cell_t *cell, circuit_t *circ,
               "'connected' received, no conn attached anymore. Ignoring.");
      return 0;
    case RELAY_COMMAND_SENDME:
-      if (!conn) {
+      if (!rh.stream_id) {
        if (layer_hint) {
          layer_hint->package_window += CIRCWINDOW_INCREMENT;
          log_debug(LD_APP,"circ-level sendme at origin, packagewindow %d.",
@ -1235,6 +1235,11 @@ connection_edge_process_relay_cell(cell_t *cell, circuit_t *circ,
        }
        return 0;
      }
+      if (!conn) {
+        log_info(domain,"sendme cell dropped, unknown stream (streamid %d).",
+                 rh.stream_id);
+        return 0;
+      }
      conn->package_window += STREAMWINDOW_INCREMENT;
      log_debug(domain,"stream-level sendme, packagewindow now %d.",
                conn->package_window);