Commit 419f541a authored by Nick Mathewson's avatar Nick Mathewson 🤹
Browse files

Fix a bug handling SENDME cells on nonexistent streams. 

This could result in bizarre window values. Report and patch
contributed pseudymously.  Fixes part of bug 6271. This bug was
introduced before the first Tor release, in svn commit r152.

(bug 6271, part a.)
parent 229abbf4

changes/bug6271

0 → 100644
+7 −0
Original line number Diff line number Diff line 
   o Major bugfixes



     - Fix a bug handling SENDME cells on nonexistent streams that

       could result in bizarre window values. Report and patch

       contributed pseudymously.  Fixes part of bug 6271. This bug

       was introduced before the first Tor release, in svn commit

       r152.

src/or/relay.c

+6 −1
Original line number Diff line number Diff line
@@ -1220,7 +1220,7 @@ connection_edge_process_relay_cell(cell_t *cell, circuit_t *circ, 
               "'connected' received, no conn attached anymore. Ignoring.");

      return 0;

    case RELAY_COMMAND_SENDME:

      if (!conn) {

      if (!rh.stream_id) {

        if (layer_hint) {

          layer_hint->package_window += CIRCWINDOW_INCREMENT;

          log_debug(LD_APP,"circ-level sendme at origin, packagewindow %d.",
@@ -1235,6 +1235,11 @@ connection_edge_process_relay_cell(cell_t *cell, circuit_t *circ, 
        }

        return 0;

      }

      if (!conn) {

        log_info(domain,"sendme cell dropped, unknown stream (streamid %d).",

                 rh.stream_id);

        return 0;

      }

      conn->package_window += STREAMWINDOW_INCREMENT;

      log_debug(domain,"stream-level sendme, packagewindow now %d.",

                conn->package_window);