mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2024-11-30 15:43:32 +01:00
Merge branch 'maint-0.2.8' into release-0.2.8
This commit is contained in:
commit
89f40ba97a
7
changes/bug24666
Normal file
7
changes/bug24666
Normal file
@ -0,0 +1,7 @@
|
|||||||
|
o Minor bugfixes (memory usage):
|
||||||
|
|
||||||
|
- When queuing DESTROY cells on a channel, only queue the
|
||||||
|
circuit-id and reason fields: not the entire 514-byte
|
||||||
|
cell. This fix should help mitigate any bugs or attacks that
|
||||||
|
fill up these queues, and free more RAM for other uses. Fixes
|
||||||
|
bug 24666; bugfix on 0.2.5.1-alpha.
|
@ -117,7 +117,7 @@ struct circuitmux_s {
|
|||||||
struct circuit_t *active_circuits_head, *active_circuits_tail;
|
struct circuit_t *active_circuits_head, *active_circuits_tail;
|
||||||
|
|
||||||
/** List of queued destroy cells */
|
/** List of queued destroy cells */
|
||||||
cell_queue_t destroy_cell_queue;
|
destroy_cell_queue_t destroy_cell_queue;
|
||||||
/** Boolean: True iff the last cell to circuitmux_get_first_active_circuit
|
/** Boolean: True iff the last cell to circuitmux_get_first_active_circuit
|
||||||
* returned the destroy queue. Used to force alternation between
|
* returned the destroy queue. Used to force alternation between
|
||||||
* destroy/non-destroy cells.
|
* destroy/non-destroy cells.
|
||||||
@ -383,7 +383,7 @@ circuitmux_alloc(void)
|
|||||||
rv = tor_malloc_zero(sizeof(*rv));
|
rv = tor_malloc_zero(sizeof(*rv));
|
||||||
rv->chanid_circid_map = tor_malloc_zero(sizeof(*( rv->chanid_circid_map)));
|
rv->chanid_circid_map = tor_malloc_zero(sizeof(*( rv->chanid_circid_map)));
|
||||||
HT_INIT(chanid_circid_muxinfo_map, rv->chanid_circid_map);
|
HT_INIT(chanid_circid_muxinfo_map, rv->chanid_circid_map);
|
||||||
cell_queue_init(&rv->destroy_cell_queue);
|
destroy_cell_queue_init(&rv->destroy_cell_queue);
|
||||||
|
|
||||||
return rv;
|
return rv;
|
||||||
}
|
}
|
||||||
@ -522,19 +522,10 @@ circuitmux_detach_all_circuits(circuitmux_t *cmux, smartlist_t *detached_out)
|
|||||||
void
|
void
|
||||||
circuitmux_mark_destroyed_circids_usable(circuitmux_t *cmux, channel_t *chan)
|
circuitmux_mark_destroyed_circids_usable(circuitmux_t *cmux, channel_t *chan)
|
||||||
{
|
{
|
||||||
packed_cell_t *cell;
|
destroy_cell_t *cell;
|
||||||
int n_bad = 0;
|
|
||||||
TOR_SIMPLEQ_FOREACH(cell, &cmux->destroy_cell_queue.head, next) {
|
TOR_SIMPLEQ_FOREACH(cell, &cmux->destroy_cell_queue.head, next) {
|
||||||
circid_t circid = 0;
|
channel_mark_circid_usable(chan, cell->circid);
|
||||||
if (packed_cell_is_destroy(chan, cell, &circid)) {
|
|
||||||
channel_mark_circid_usable(chan, circid);
|
|
||||||
} else {
|
|
||||||
++n_bad;
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
if (n_bad)
|
|
||||||
log_warn(LD_BUG, "%d cell(s) on destroy queue did not look like a "
|
|
||||||
"DESTROY cell.", n_bad);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@ -591,7 +582,7 @@ circuitmux_free(circuitmux_t *cmux)
|
|||||||
I64_PRINTF_ARG(global_destroy_ctr));
|
I64_PRINTF_ARG(global_destroy_ctr));
|
||||||
}
|
}
|
||||||
|
|
||||||
cell_queue_clear(&cmux->destroy_cell_queue);
|
destroy_cell_queue_clear(&cmux->destroy_cell_queue);
|
||||||
|
|
||||||
tor_free(cmux);
|
tor_free(cmux);
|
||||||
}
|
}
|
||||||
@ -1469,7 +1460,7 @@ circuitmux_set_num_cells(circuitmux_t *cmux, circuit_t *circ,
|
|||||||
|
|
||||||
circuit_t *
|
circuit_t *
|
||||||
circuitmux_get_first_active_circuit(circuitmux_t *cmux,
|
circuitmux_get_first_active_circuit(circuitmux_t *cmux,
|
||||||
cell_queue_t **destroy_queue_out)
|
destroy_cell_queue_t **destroy_queue_out)
|
||||||
{
|
{
|
||||||
circuit_t *circ = NULL;
|
circuit_t *circ = NULL;
|
||||||
|
|
||||||
@ -1885,14 +1876,7 @@ circuitmux_append_destroy_cell(channel_t *chan,
|
|||||||
circid_t circ_id,
|
circid_t circ_id,
|
||||||
uint8_t reason)
|
uint8_t reason)
|
||||||
{
|
{
|
||||||
cell_t cell;
|
destroy_cell_queue_append(&cmux->destroy_cell_queue, circ_id, reason);
|
||||||
memset(&cell, 0, sizeof(cell_t));
|
|
||||||
cell.circ_id = circ_id;
|
|
||||||
cell.command = CELL_DESTROY;
|
|
||||||
cell.payload[0] = (uint8_t) reason;
|
|
||||||
|
|
||||||
cell_queue_append_packed_copy(NULL, &cmux->destroy_cell_queue, 0, &cell,
|
|
||||||
chan->wide_circ_ids, 0);
|
|
||||||
|
|
||||||
/* Destroy entering the queue, update counters */
|
/* Destroy entering the queue, update counters */
|
||||||
++(cmux->destroy_ctr);
|
++(cmux->destroy_ctr);
|
||||||
@ -1925,13 +1909,13 @@ circuitmux_count_queued_destroy_cells(const channel_t *chan,
|
|||||||
|
|
||||||
int64_t manual_total = 0;
|
int64_t manual_total = 0;
|
||||||
int64_t manual_total_in_map = 0;
|
int64_t manual_total_in_map = 0;
|
||||||
packed_cell_t *cell;
|
destroy_cell_t *cell;
|
||||||
|
|
||||||
TOR_SIMPLEQ_FOREACH(cell, &cmux->destroy_cell_queue.head, next) {
|
TOR_SIMPLEQ_FOREACH(cell, &cmux->destroy_cell_queue.head, next) {
|
||||||
circid_t id;
|
circid_t id;
|
||||||
++manual_total;
|
++manual_total;
|
||||||
|
|
||||||
id = packed_cell_get_circid(cell, chan->wide_circ_ids);
|
id = cell->circid;
|
||||||
if (circuit_id_in_use_on_channel(id, (channel_t*)chan))
|
if (circuit_id_in_use_on_channel(id, (channel_t*)chan))
|
||||||
++manual_total_in_map;
|
++manual_total_in_map;
|
||||||
}
|
}
|
||||||
|
@ -131,7 +131,7 @@ int64_t circuitmux_count_queued_destroy_cells(const channel_t *chan,
|
|||||||
|
|
||||||
/* Channel interface */
|
/* Channel interface */
|
||||||
circuit_t * circuitmux_get_first_active_circuit(circuitmux_t *cmux,
|
circuit_t * circuitmux_get_first_active_circuit(circuitmux_t *cmux,
|
||||||
cell_queue_t **destroy_queue_out);
|
destroy_cell_queue_t **destroy_queue_out);
|
||||||
void circuitmux_notify_xmit_cells(circuitmux_t *cmux, circuit_t *circ,
|
void circuitmux_notify_xmit_cells(circuitmux_t *cmux, circuit_t *circ,
|
||||||
unsigned int n_cells);
|
unsigned int n_cells);
|
||||||
void circuitmux_notify_xmit_destroy(circuitmux_t *cmux);
|
void circuitmux_notify_xmit_destroy(circuitmux_t *cmux);
|
||||||
|
15
src/or/or.h
15
src/or/or.h
@ -1134,6 +1134,21 @@ typedef struct cell_queue_t {
|
|||||||
int n; /**< The number of cells in the queue. */
|
int n; /**< The number of cells in the queue. */
|
||||||
} cell_queue_t;
|
} cell_queue_t;
|
||||||
|
|
||||||
|
/** A single queued destroy cell. */
|
||||||
|
typedef struct destroy_cell_t {
|
||||||
|
TOR_SIMPLEQ_ENTRY(destroy_cell_t) next;
|
||||||
|
circid_t circid;
|
||||||
|
uint32_t inserted_time; /** Timestamp when this was queued. */
|
||||||
|
uint8_t reason;
|
||||||
|
} destroy_cell_t;
|
||||||
|
|
||||||
|
/** A queue of destroy cells on a channel. */
|
||||||
|
typedef struct destroy_cell_queue_t {
|
||||||
|
/** Linked list of packed_cell_t */
|
||||||
|
TOR_SIMPLEQ_HEAD(dcell_simpleq, destroy_cell_t) head;
|
||||||
|
int n; /**< The number of cells in the queue. */
|
||||||
|
} destroy_cell_queue_t;
|
||||||
|
|
||||||
/** Beginning of a RELAY cell payload. */
|
/** Beginning of a RELAY cell payload. */
|
||||||
typedef struct {
|
typedef struct {
|
||||||
uint8_t command; /**< The end-to-end relay command. */
|
uint8_t command; /**< The end-to-end relay command. */
|
||||||
|
@ -2367,6 +2367,75 @@ cell_queue_pop(cell_queue_t *queue)
|
|||||||
return cell;
|
return cell;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/** Initialize <b>queue</b> as an empty cell queue. */
|
||||||
|
void
|
||||||
|
destroy_cell_queue_init(destroy_cell_queue_t *queue)
|
||||||
|
{
|
||||||
|
memset(queue, 0, sizeof(destroy_cell_queue_t));
|
||||||
|
TOR_SIMPLEQ_INIT(&queue->head);
|
||||||
|
}
|
||||||
|
|
||||||
|
/** Remove and free every cell in <b>queue</b>. */
|
||||||
|
void
|
||||||
|
destroy_cell_queue_clear(destroy_cell_queue_t *queue)
|
||||||
|
{
|
||||||
|
destroy_cell_t *cell;
|
||||||
|
while ((cell = TOR_SIMPLEQ_FIRST(&queue->head))) {
|
||||||
|
TOR_SIMPLEQ_REMOVE_HEAD(&queue->head, next);
|
||||||
|
tor_free(cell);
|
||||||
|
}
|
||||||
|
TOR_SIMPLEQ_INIT(&queue->head);
|
||||||
|
queue->n = 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
/** Extract and return the cell at the head of <b>queue</b>; return NULL if
|
||||||
|
* <b>queue</b> is empty. */
|
||||||
|
STATIC destroy_cell_t *
|
||||||
|
destroy_cell_queue_pop(destroy_cell_queue_t *queue)
|
||||||
|
{
|
||||||
|
destroy_cell_t *cell = TOR_SIMPLEQ_FIRST(&queue->head);
|
||||||
|
if (!cell)
|
||||||
|
return NULL;
|
||||||
|
TOR_SIMPLEQ_REMOVE_HEAD(&queue->head, next);
|
||||||
|
--queue->n;
|
||||||
|
return cell;
|
||||||
|
}
|
||||||
|
|
||||||
|
/** Append a destroy cell for <b>circid</b> to <b>queue</b>. */
|
||||||
|
void
|
||||||
|
destroy_cell_queue_append(destroy_cell_queue_t *queue,
|
||||||
|
circid_t circid,
|
||||||
|
uint8_t reason)
|
||||||
|
{
|
||||||
|
struct timeval now;
|
||||||
|
|
||||||
|
destroy_cell_t *cell = tor_malloc_zero(sizeof(destroy_cell_t));
|
||||||
|
cell->circid = circid;
|
||||||
|
cell->reason = reason;
|
||||||
|
tor_gettimeofday_cached_monotonic(&now);
|
||||||
|
/* Not yet used, but will be required for OOM handling. */
|
||||||
|
cell->inserted_time = (uint32_t)tv_to_msec(&now);
|
||||||
|
|
||||||
|
TOR_SIMPLEQ_INSERT_TAIL(&queue->head, cell, next);
|
||||||
|
++queue->n;
|
||||||
|
}
|
||||||
|
|
||||||
|
/** Convert a destroy_cell_t to a newly allocated cell_t. Frees its input. */
|
||||||
|
static packed_cell_t *
|
||||||
|
destroy_cell_to_packed_cell(destroy_cell_t *inp, int wide_circ_ids)
|
||||||
|
{
|
||||||
|
packed_cell_t *packed = packed_cell_new();
|
||||||
|
cell_t cell;
|
||||||
|
memset(&cell, 0, sizeof(cell));
|
||||||
|
cell.circ_id = inp->circid;
|
||||||
|
cell.command = CELL_DESTROY;
|
||||||
|
cell.payload[0] = inp->reason;
|
||||||
|
cell_pack(packed, &cell, wide_circ_ids);
|
||||||
|
|
||||||
|
tor_free(inp);
|
||||||
|
return packed;
|
||||||
|
}
|
||||||
|
|
||||||
/** Return the total number of bytes used for each packed_cell in a queue.
|
/** Return the total number of bytes used for each packed_cell in a queue.
|
||||||
* Approximate. */
|
* Approximate. */
|
||||||
size_t
|
size_t
|
||||||
@ -2576,7 +2645,8 @@ channel_flush_from_first_active_circuit, (channel_t *chan, int max))
|
|||||||
{
|
{
|
||||||
circuitmux_t *cmux = NULL;
|
circuitmux_t *cmux = NULL;
|
||||||
int n_flushed = 0;
|
int n_flushed = 0;
|
||||||
cell_queue_t *queue, *destroy_queue=NULL;
|
cell_queue_t *queue;
|
||||||
|
destroy_cell_queue_t *destroy_queue=NULL;
|
||||||
circuit_t *circ;
|
circuit_t *circ;
|
||||||
or_circuit_t *or_circ;
|
or_circuit_t *or_circ;
|
||||||
int streams_blocked;
|
int streams_blocked;
|
||||||
@ -2591,9 +2661,17 @@ channel_flush_from_first_active_circuit, (channel_t *chan, int max))
|
|||||||
while (n_flushed < max) {
|
while (n_flushed < max) {
|
||||||
circ = circuitmux_get_first_active_circuit(cmux, &destroy_queue);
|
circ = circuitmux_get_first_active_circuit(cmux, &destroy_queue);
|
||||||
if (destroy_queue) {
|
if (destroy_queue) {
|
||||||
|
destroy_cell_t *dcell;
|
||||||
/* this code is duplicated from some of the logic below. Ugly! XXXX */
|
/* this code is duplicated from some of the logic below. Ugly! XXXX */
|
||||||
|
/* If we are given a destroy_queue here, then it is required to be
|
||||||
|
* nonempty... */
|
||||||
tor_assert(destroy_queue->n > 0);
|
tor_assert(destroy_queue->n > 0);
|
||||||
cell = cell_queue_pop(destroy_queue);
|
dcell = destroy_cell_queue_pop(destroy_queue);
|
||||||
|
/* ...and pop() will always yield a cell from a nonempty queue. */
|
||||||
|
tor_assert(dcell);
|
||||||
|
/* frees dcell */
|
||||||
|
cell = destroy_cell_to_packed_cell(dcell, chan->wide_circ_ids);
|
||||||
|
/* frees cell */
|
||||||
channel_write_packed_cell(chan, cell);
|
channel_write_packed_cell(chan, cell);
|
||||||
/* Update the cmux destroy counter */
|
/* Update the cmux destroy counter */
|
||||||
circuitmux_notify_xmit_destroy(cmux);
|
circuitmux_notify_xmit_destroy(cmux);
|
||||||
|
@ -60,6 +60,13 @@ void cell_queue_append_packed_copy(circuit_t *circ, cell_queue_t *queue,
|
|||||||
void append_cell_to_circuit_queue(circuit_t *circ, channel_t *chan,
|
void append_cell_to_circuit_queue(circuit_t *circ, channel_t *chan,
|
||||||
cell_t *cell, cell_direction_t direction,
|
cell_t *cell, cell_direction_t direction,
|
||||||
streamid_t fromstream);
|
streamid_t fromstream);
|
||||||
|
|
||||||
|
void destroy_cell_queue_init(destroy_cell_queue_t *queue);
|
||||||
|
void destroy_cell_queue_clear(destroy_cell_queue_t *queue);
|
||||||
|
void destroy_cell_queue_append(destroy_cell_queue_t *queue,
|
||||||
|
circid_t circid,
|
||||||
|
uint8_t reason);
|
||||||
|
|
||||||
void channel_unlink_all_circuits(channel_t *chan, smartlist_t *detached_out);
|
void channel_unlink_all_circuits(channel_t *chan, smartlist_t *detached_out);
|
||||||
MOCK_DECL(int, channel_flush_from_first_active_circuit,
|
MOCK_DECL(int, channel_flush_from_first_active_circuit,
|
||||||
(channel_t *chan, int max));
|
(channel_t *chan, int max));
|
||||||
@ -99,6 +106,7 @@ STATIC int connection_edge_process_resolved_cell(edge_connection_t *conn,
|
|||||||
const relay_header_t *rh);
|
const relay_header_t *rh);
|
||||||
STATIC packed_cell_t *packed_cell_new(void);
|
STATIC packed_cell_t *packed_cell_new(void);
|
||||||
STATIC packed_cell_t *cell_queue_pop(cell_queue_t *queue);
|
STATIC packed_cell_t *cell_queue_pop(cell_queue_t *queue);
|
||||||
|
STATIC destroy_cell_t *destroy_cell_queue_pop(destroy_cell_queue_t *queue);
|
||||||
STATIC size_t cell_queues_get_total_allocation(void);
|
STATIC size_t cell_queues_get_total_allocation(void);
|
||||||
STATIC int cell_queues_check_size(void);
|
STATIC int cell_queues_check_size(void);
|
||||||
#endif
|
#endif
|
||||||
|
@ -34,8 +34,9 @@ test_cmux_destroy_cell_queue(void *arg)
|
|||||||
circuitmux_t *cmux = NULL;
|
circuitmux_t *cmux = NULL;
|
||||||
channel_t *ch = NULL;
|
channel_t *ch = NULL;
|
||||||
circuit_t *circ = NULL;
|
circuit_t *circ = NULL;
|
||||||
cell_queue_t *cq = NULL;
|
destroy_cell_queue_t *cq = NULL;
|
||||||
packed_cell_t *pc = NULL;
|
packed_cell_t *pc = NULL;
|
||||||
|
destroy_cell_t *dc = NULL;
|
||||||
|
|
||||||
scheduler_init();
|
scheduler_init();
|
||||||
|
|
||||||
@ -63,11 +64,9 @@ test_cmux_destroy_cell_queue(void *arg)
|
|||||||
|
|
||||||
tt_int_op(cq->n, OP_EQ, 3);
|
tt_int_op(cq->n, OP_EQ, 3);
|
||||||
|
|
||||||
pc = cell_queue_pop(cq);
|
dc = destroy_cell_queue_pop(cq);
|
||||||
tt_assert(pc);
|
tt_assert(dc);
|
||||||
tt_mem_op(pc->body, OP_EQ, "\x00\x00\x00\x64\x04\x0a\x00\x00\x00", 9);
|
tt_uint_op(dc->circid, OP_EQ, 100);
|
||||||
packed_cell_free(pc);
|
|
||||||
pc = NULL;
|
|
||||||
|
|
||||||
tt_int_op(circuitmux_num_cells(cmux), OP_EQ, 2);
|
tt_int_op(circuitmux_num_cells(cmux), OP_EQ, 2);
|
||||||
|
|
||||||
@ -75,6 +74,7 @@ test_cmux_destroy_cell_queue(void *arg)
|
|||||||
circuitmux_free(cmux);
|
circuitmux_free(cmux);
|
||||||
channel_free(ch);
|
channel_free(ch);
|
||||||
packed_cell_free(pc);
|
packed_cell_free(pc);
|
||||||
|
tor_free(dc);
|
||||||
}
|
}
|
||||||
|
|
||||||
struct testcase_t circuitmux_tests[] = {
|
struct testcase_t circuitmux_tests[] = {
|
||||||
|
Loading…
Reference in New Issue
Block a user