don't use old non-configured bridges (bug 2511)

changes/bug2511

@@ -0,0 +1,6 @@
+  o Major bugfixes:
+    - If you configured Tor to use bridge A, and then quit and
+      configured Tor to use bridge B instead, it would happily continue
+      to use bridge A if it's still reachable. While this behavior is
+      a feature if your goal is connectivity, in some scenarios it's a
+      dangerous bug. Bugfix on Tor 0.2.0.1-alpha; fixes bug 2511.

src/or/routerlist.c

@@ -3314,6 +3314,19 @@ router_add_to_routerlist(routerinfo_t *router, const char **msg,
     return ROUTER_NOT_IN_CONSENSUS;
   }
 
+  /* If we're reading a bridge descriptor from our cache, and we don't
+   * recognize it as one of our currently configured bridges, drop the
+   * descriptor. Otherwise we could end up using it as one of our entry
+   * guards even if it isn't in our Bridge config lines. */
+  if (router->purpose == ROUTER_PURPOSE_BRIDGE && from_cache &&
+      !routerinfo_is_a_configured_bridge(router)) {
+    log_info(LD_DIR, "Dropping bridge descriptor for '%s' because we have "
+             "no bridge configured at that address.", router->nickname);
+    *msg = "Router descriptor was not a configured bridge.";
+    routerinfo_free(router);
+    return ROUTER_WAS_NOT_NEW;
+  }
+
   /* If we have a router with the same identity key, choose the newer one. */
   if (old_router) {
     if (!in_consensus && (router->cache_info.published_on <=