Check the calculations in cc_stats_refill_bucket using non fatal assertions
In #25128 (moved), we removed an incorrect non-fatal assertion in cc_stats_refill_bucket() to silence a warning:
/* This function is not allowed to make the bucket count smaller */
tor_assert_nonfatal(new_circuit_bucket_count >= stats->circuit_bucket);But we could have fixed the check instead, and added another check:
/* This function is not allowed to make the bucket count larger than the burst value */
tor_assert_nonfatal(new_circuit_bucket_count <= dos_cc_circuit_burst);
/* This function is not allowed to make the bucket count smaller, unless it is
* decreasing it to a newly configured, lower burst value. We allow the bucket to
* stay the same size, in case the circuit rate is zero. */
tor_assert_nonfatal(new_circuit_bucket_count >= stats->circuit_bucket ||
new_circuit_bucket_count == dos_cc_circuit_burst);We could be even more clever, and skip parts of the function if the rate is zero. That's probably unnecessary. I'll think about it.
I should get a chance to turn this into a proper branch over the next week or so. If someone else wants to do it before then, go for it!
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information