Rend circ corresponding to an intro circ is looked up improperly
rend_client_introduction_acked
uses circuit_get_by_rend_query_and_purpose
to look up the rendezvous circuit corresponding to an introduction circuit by its purpose and destination hidden service address. Unfortunately, there may be multiple rendezvous circuits open with the same purpose (CIRCUIT_PURPOSE_C_REND_READY
) and destination hidden service address, especially with the proposal 171 changes and (less so) the legacy/trac#3000 (moved) fix in recent Tors. rend_client_introduction_acked
should look up the rendezvous circuit by its rendezvous cookie and DH public key instead.
If this bug occurs, it may trigger the following log message on the client side in rend_client_receive_rendezvous
:
log_warn(LD_PROTOCOL,"Got rendezvous2 cell from hidden service, but not "
"expecting it. Closing.");
However, the rend circ for which the INTRODUCE1
cell was sent is likely to time out before the service reaches it.
The fix for this bug might be worth backporting to 0.2.2.x.