Merge branch 'maint-0.4.7'

2024-11-24 04:13:28 +01:00 · 2022-08-02 15:31:00 -04:00 · 2022-08-02 15:31:00 -04:00 · f51c68729f
commit f51c68729f
parent 22cb4c23d0 af5ef98d1b
2 changed files with 18 additions and 1 deletions
--- a/changes/bug40644
+++ b/changes/bug40644
@ -0,0 +1,8 @@
+  o Minor bugfixes (congestion control):
+    - Add a check for an integer underflow condition that might
+      happen in cases where the system clock is stopped, the
+      ORconn is blocked, and the endpoint sends more than a
+      congestion window worth of non-data control cells at once.
+      This would cause a large congestion window to be calculated
+      instead of a small one. No security impact. Fixes bug 40644;
+      bugfix on 0.4.7.5-alpha.
--- a/src/core/or/congestion_control_common.c
+++ b/src/core/or/congestion_control_common.c
@ -882,10 +882,19 @@ congestion_control_update_circuit_bdp(congestion_control_t *cc,
  if (!cc->ewma_rtt_usec) {
     uint64_t cwnd = cc->cwnd;

+     tor_assert_nonfatal(cc->cwnd <= cwnd_max);
+
     /* If the channel is blocked, keep subtracting off the chan_q
      * until we hit the min cwnd. */
     if (blocked_on_chan) {
-       cwnd = MAX(cwnd - chan_q, cc->cwnd_min);
+       /* Cast is fine because we're less than int32 */
+       if (chan_q >= (int64_t)cwnd) {
+         log_notice(LD_CIRC,
+                    "Clock stall with large chanq: %d %"PRIu64, chan_q, cwnd);
+         cwnd = cc->cwnd_min;
+       } else {
+         cwnd = MAX(cwnd - chan_q, cc->cwnd_min);
+       }
       cc->blocked_chan = 1;
     } else {
       cc->blocked_chan = 0;