Bug 40897: Move safety check to proper location and give it error handling.

src/core/or/conflux_pool.c

@@ -493,10 +493,6 @@ cfx_add_leg(conflux_t *cfx, leg_t *leg)
   /* Big trouble if we add a leg to the wrong set. */
   tor_assert(tor_memeq(cfx->nonce, leg->link->nonce, sizeof(cfx->nonce)));
 
-  if (BUG(CONFLUX_NUM_LEGS(cfx) > CONFLUX_MAX_CIRCS)) {
-    return;
-  }
-
   conflux_leg_t *cleg = tor_malloc_zero(sizeof(*cleg));
   cleg->circ = leg->circ;
   // TODO-329-ARTI: Blindly copying the values from the cell. Is this correct?
@@ -731,6 +727,9 @@ try_finalize_set(unlinked_circuits_t *unlinked)
   bool is_client;
 
   tor_assert(unlinked);
+  tor_assert(unlinked->legs);
+  tor_assert(unlinked->cfx);
+  tor_assert(unlinked->cfx->legs);
 
   /* Without legs, this is not ready to become a linked set. */
   if (BUG(smartlist_len(unlinked->legs) == 0)) {
@@ -738,6 +737,17 @@ try_finalize_set(unlinked_circuits_t *unlinked)
     goto end;
   }
 
+  /* If there are too many legs, we can't link. */
+  if (smartlist_len(unlinked->legs) +
+      smartlist_len(unlinked->cfx->legs) > CONFLUX_MAX_CIRCS) {
+    log_fn(LOG_PROTOCOL_WARN, LD_CIRC,
+           "Conflux set has too many legs to link. "
+           "Rejecting this circuit.");
+    conflux_log_set(LOG_PROTOCOL_WARN, unlinked->cfx, unlinked->is_client);
+    err = ERR_LINK_CIRC_INVALID_LEG;
+    goto end;
+  }
+
   /* Validate that all legs are coherent and parameters match. On failure, we
    * teardown the whole unlinked set because this means we either have a code
    * flow problem or the Exit is trying to trick us. */