tor

The Tor anonymity network
git clone https://git.dasho.dev/tor.git
Log | Files | Refs | README | LICENSE
commit 274e9f9939ee571234604d18c618c4cf1c4dcd9c
parent fec92363bac6e6e2ebe50e90b4078f6fc9554c6e
Author: David Goulet <dgoulet@torproject.org>
Date:   Tue,  5 Aug 2025 10:41:51 -0400

Merge branch 'maint-0.4.8'

Diffstat:

Achanges/bug41106 | 5+++++


Msrc/core/or/command.c | 5+++--


Msrc/core/or/relay.c | 28++++++++--------------------


3 files changed, 16 insertions(+), 22 deletions(-)

diff --git a/changes/bug41106 b/changes/bug41106
@@ -0,0 +1,5 @@
+  o Minor bugfixes (circuit handling):
+    - Prevent circuit_mark_for_close() from
+      being called twice on the same circuit.
+      Second fix attempt
+      Fixes bug 41106; bugfix on 0.4.8.17
diff --git a/src/core/or/command.c b/src/core/or/command.c
@@ -491,7 +491,7 @@ command_process_relay_cell(cell_t *cell, channel_t *chan)
 {
   const or_options_t *options = get_options();
   circuit_t *circ;
-  int direction;
+  int direction, reason;
   uint32_t orig_delivered_bw = 0;
   uint32_t orig_overhead_bw = 0;
 
@@ -581,7 +581,7 @@ command_process_relay_cell(cell_t *cell, channel_t *chan)
     }
   }
 
-  if (circuit_receive_relay_cell(cell, circ, direction) < 0) {
+  if ((reason = circuit_receive_relay_cell(cell, circ, direction)) < 0) {
     log_fn(LOG_DEBUG,LD_PROTOCOL,"circuit_receive_relay_cell "
            "(%s) failed. Closing.",
            direction==CELL_DIRECTION_OUT?"forward":"backward");
@@ -589,6 +589,7 @@ command_process_relay_cell(cell_t *cell, channel_t *chan)
     if (CIRCUIT_IS_ORIGIN(circ)) {
       control_event_circ_bandwidth_used_for_circ(TO_ORIGIN_CIRCUIT(circ));
     }
+    circuit_mark_for_close(circ, -reason);
   }
 
   if (CIRCUIT_IS_ORIGIN(circ)) {
diff --git a/src/core/or/relay.c b/src/core/or/relay.c
@@ -230,9 +230,6 @@ circuit_update_channel_usage(circuit_t *circ, cell_t *cell)
  *  - If not recognized, then we need to relay it: append it to the appropriate
  *    cell_queue on <b>circ</b>.
  *
- * If a reason exists to close <b>circ</b>, circuit_mark_for_close()
- * is called in this function, so the caller doesn't have to do it.
- *
  * Return -<b>reason</b> on failure, else 0.
  */
 int
@@ -255,8 +252,7 @@ circuit_receive_relay_cell(cell_t *cell, circuit_t *circ,
       < 0) {
     log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
            "relay crypt failed. Dropping connection.");
-    reason = -END_CIRC_REASON_INTERNAL;
-    goto error;
+    return -END_CIRC_REASON_INTERNAL;
   }
 
   circuit_update_channel_usage(circ, cell);
@@ -292,7 +288,7 @@ circuit_receive_relay_cell(cell_t *cell, circuit_t *circ,
         log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,
                "connection_edge_process_relay_cell (away from origin) "
                "failed.");
-        goto error;
+        return reason;
       }
     } else if (cell_direction == CELL_DIRECTION_IN) {
       ++stats_n_relay_cells_delivered;
@@ -307,7 +303,7 @@ circuit_receive_relay_cell(cell_t *cell, circuit_t *circ,
           log_warn(LD_OR,
                    "connection_edge_process_relay_cell (at origin) failed.");
         }
-        goto error;
+        return reason;
       }
     }
     return 0;
@@ -330,8 +326,7 @@ circuit_receive_relay_cell(cell_t *cell, circuit_t *circ,
      * XXX: Shouldn't they always die? */
     if (circ->purpose == CIRCUIT_PURPOSE_PATH_BIAS_TESTING) {
       TO_ORIGIN_CIRCUIT(circ)->path_state = PATH_STATE_USE_FAILED;
-      reason = -END_CIRC_REASON_TORPROTOCOL;
-      goto error;
+      return -END_CIRC_REASON_TORPROTOCOL;
     } else {
       return 0;
     }
@@ -351,14 +346,13 @@ circuit_receive_relay_cell(cell_t *cell, circuit_t *circ,
                                                CELL_DIRECTION_IN)) < 0) {
         log_warn(LD_REND, "Error relaying cell across rendezvous; closing "
                  "circuits");
-        goto error;
+        return reason;
       }
       return 0;
     }
     if (BUG(CIRCUIT_IS_ORIGIN(circ))) {
       /* Should be impossible at this point. */
-      reason = -END_CIRC_REASON_TORPROTOCOL;
-      goto error;
+      return -END_CIRC_REASON_TORPROTOCOL;
     }
     or_circuit_t *or_circ = TO_OR_CIRCUIT(circ);
     if (++or_circ->n_cells_discarded_at_end == 1) {
@@ -367,8 +361,7 @@ circuit_receive_relay_cell(cell_t *cell, circuit_t *circ,
              "Didn't recognize a cell, but circ stops here! Closing circuit. "
              "It was created %ld seconds ago.", (long)seconds_open);
     }
-    reason = -END_CIRC_REASON_TORPROTOCOL;
-    goto error;
+    return -END_CIRC_REASON_TORPROTOCOL;
   }
 
   log_debug(LD_OR,"Passing on unrecognized cell.");
@@ -378,14 +371,9 @@ circuit_receive_relay_cell(cell_t *cell, circuit_t *circ,
                                   * the cells. */
 
   if (append_cell_to_circuit_queue(circ, chan, cell, cell_direction, 0) < 0) {
-    reason = -END_CIRC_REASON_RESOURCELIMIT;
-    goto error;
+    return -END_CIRC_REASON_RESOURCELIMIT;
   }
   return 0;
-
-error:
-  circuit_mark_for_close(circ, -reason);
-  return reason;
 }
 
 /** Package a relay cell from an edge: