From 533fe36957e2fc78e2c76fb1a91f5b17c3dfb85e Mon Sep 17 00:00:00 2001
From: Mike Perry <mikeperry-git@torproject.org>
Date: Tue, 26 Jul 2022 22:28:02 +0000
Subject: [PATCH] Add an underflow check to a cwnd error condition.

---
 src/core/or/congestion_control_common.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/src/core/or/congestion_control_common.c b/src/core/or/congestion_control_common.c
index 71cd666ee2..42f816690f 100644
--- a/src/core/or/congestion_control_common.c
+++ b/src/core/or/congestion_control_common.c
@@ -882,10 +882,19 @@ congestion_control_update_circuit_bdp(congestion_control_t *cc,
   if (!cc->ewma_rtt_usec) {
      uint64_t cwnd = cc->cwnd;
 
+     tor_assert_nonfatal(cc->cwnd <= cwnd_max);
+
      /* If the channel is blocked, keep subtracting off the chan_q
       * until we hit the min cwnd. */
      if (blocked_on_chan) {
-       cwnd = MAX(cwnd - chan_q, cc->cwnd_min);
+       /* Cast is fine because we're less than int32 */
+       if (chan_q >= (int64_t)cwnd) {
+         log_notice(LD_CIRC,
+                    "Clock stall with large chanq: %d %"PRIu64, chan_q, cwnd);
+         cwnd = cc->cwnd_min;
+       } else {
+         cwnd = MAX(cwnd - chan_q, cc->cwnd_min);
+       }
        cc->blocked_chan = 1;
      } else {
        cc->blocked_chan = 0;