Rend circ corresponding to an intro circ is looked up improperly
circuit_get_by_rend_query_and_purpose to look up the rendezvous circuit corresponding to an introduction circuit by its purpose and destination hidden service address. Unfortunately, there may be multiple rendezvous circuits open with the same purpose (
CIRCUIT_PURPOSE_C_REND_READY) and destination hidden service address, especially with the proposal 171 changes and (less so) the #3000 (moved) fix in recent Tors.
rend_client_introduction_acked should look up the rendezvous circuit by its rendezvous cookie and DH public key instead.
If this bug occurs, it may trigger the following log message on the client side in
log_warn(LD_PROTOCOL,"Got rendezvous2 cell from hidden service, but not " "expecting it. Closing.");
However, the rend circ for which the
INTRODUCE1 cell was sent is likely to time out before the service reaches it.
The fix for this bug might be worth backporting to 0.2.2.x.