we don't check which hop a cell is from well enough
If the streamid of one stream on our circuit collides with the streamid of another stream (say, because they exit at different hops), this goes bad. There may also be an attack here where intermediate hops can try to inject cells into streams that are supposed to be at different hops.
(Somebody should look at this harder before we blindly put the patch in.)
Patch from lodger:
--- relay.c Fri May 25 06:51:40 2007 +++ relay.c Tue Jun 5 07:30:38 2007 @@ -18,5 +18,5 @@ crypt_path_t **layer_hint, char *recognized); static edge_connection_t *relay_lookup_conn(circuit_t *circ, cell_t *cell,
-
int cell_direction);
-
int cell_direction, crypt_path_t *layer_hint);
static int @@ -163,5 +163,6 @@
if (recognized) {
- edge_connection_t *conn = relay_lookup_conn(circ, cell, cell_direction);
- edge_connection_t *conn = relay_lookup_conn(circ, cell, cell_direction,
-
if (cell_direction == CELL_DIRECTION_OUT) { ++stats_n_relay_cells_delivered; @@ -373,5 +374,6 @@ */ static edge_connection_t * -relay_lookup_conn(circuit_t *circ, cell_t *cell, int cell_direction) +relay_lookup_conn(circuit_t *circ, cell_t *cell, int cell_direction,layer_hint); -
crypt_path_t *layer_hint)
{ edge_connection_t *tmpconn; @@ -391,5 +393,6 @@ tmpconn=tmpconn->next_stream) { if (rh.stream_id == tmpconn->stream_id &&
-
!tmpconn->_base.marked_for_close) {
-
!tmpconn->_base.marked_for_close && -
tmpconn->cpath_layer == layer_hint) { log_debug(LD_APP,"found conn for stream %d.", rh.stream_id); return tmpconn;
[Automatically added by flyspray2trac: Operating System: All]