diff --git a/changes/bug6271 b/changes/bug6271 new file mode 100644 index 0000000000..06b129f73f --- /dev/null +++ b/changes/bug6271 @@ -0,0 +1,7 @@ + o Major bugfixes + + - Fix a bug handling SENDME cells on nonexistent streams that + could result in bizarre window values. Report and patch + contributed pseudymously. Fixes part of bug 6271. This bug + was introduced before the first Tor release, in svn commit + r152. diff --git a/src/or/relay.c b/src/or/relay.c index b637fadf59..50c14556ff 100644 --- a/src/or/relay.c +++ b/src/or/relay.c @@ -1220,7 +1220,7 @@ connection_edge_process_relay_cell(cell_t *cell, circuit_t *circ, "'connected' received, no conn attached anymore. Ignoring."); return 0; case RELAY_COMMAND_SENDME: - if (!conn) { + if (!rh.stream_id) { if (layer_hint) { layer_hint->package_window += CIRCWINDOW_INCREMENT; log_debug(LD_APP,"circ-level sendme at origin, packagewindow %d.", @@ -1235,6 +1235,11 @@ connection_edge_process_relay_cell(cell_t *cell, circuit_t *circ, } return 0; } + if (!conn) { + log_info(domain,"sendme cell dropped, unknown stream (streamid %d).", + rh.stream_id); + return 0; + } conn->package_window += STREAMWINDOW_INCREMENT; log_debug(domain,"stream-level sendme, packagewindow now %d.", conn->package_window);