rend_service_introduce() asserts circuit->rend_data before checking for proto violation
...
#ifndef NON_ANONYMOUS_MODE_ENABLED
tor_assert(!(circuit->build_state->onehop_tunnel));
#endif
tor_assert(circuit->rend_data);
base32_encode(serviceid, REND_SERVICE_ID_LEN_BASE32+1,
circuit->rend_data->rend_pk_digest, REND_SERVICE_ID_LEN);
log_info(LD_REND, "Received INTRODUCE2 cell for service %s on circ %d.",
escaped(serviceid), circuit->_base.n_circ_id);
if (circuit->_base.purpose != CIRCUIT_PURPOSE_S_INTRO) {
log_warn(LD_PROTOCOL,
"Got an INTRODUCE2 over a non-introduction circuit %d.",
circuit->_base.n_circ_id);
return -1;
}
A bad exit might be able to exploit this by sending a RELAY_COMMAND_INTRODUCE2
cell to a client (through a CIRCUIT_PURPOSE_C_GENERAL
circuit) and triggering tor_assert(circuit->rend_data);
.