tor

The Tor anonymity network
git clone https://git.dasho.dev/tor.git
Log | Files | Refs | README | LICENSE
commit 4c1a41f32d935cdc496946b9a3018e0edaabefb1
parent 09f4fe868aba86cef63d259132875f0a3ec169a2
Author: Nick Mathewson <nickm@torproject.org>
Date:   Thu, 17 Apr 2025 20:26:20 -0400

Fix a bug in conflux_send_switch_command.

Using RELAY_PAYLOAD_SIZE(_MAX) here would send a relay message that used up
more than the actual length of the cell.  Instead, send only the actual
CONFLUX_SWITCH message.

Closes #41056; bugfix on 0.4.8.1-alpha.

Diffstat:

Achanges/bug41056 | 4++++


Msrc/core/or/conflux_cell.c | 19++++++++-----------


2 files changed, 12 insertions(+), 11 deletions(-)

diff --git a/changes/bug41056 b/changes/bug41056
@@ -0,0 +1,4 @@
+  o Minor bugfixes (protocol):
+    - Set the length field correctly on RELAY_COMMAND_CONFLUX_SWITCH
+      messages.  Previously, it was always set to the maximum value.
+      Fixes bug 41056; bugfix on 0.4.8.1-alpha.
diff --git a/src/core/or/conflux_cell.c b/src/core/or/conflux_cell.c
@@ -311,37 +311,34 @@ bool
 conflux_send_switch_command(circuit_t *send_circ, uint64_t relative_seq)
 {
   trn_cell_conflux_switch_t *switch_cell = trn_cell_conflux_switch_new();
-  cell_t cell;
+  uint8_t payload[RELAY_PAYLOAD_SIZE_MAX] = {0};
   bool ret = true;
 
   tor_assert(send_circ);
   tor_assert(relative_seq < UINT32_MAX);
 
-  memset(&cell, 0, sizeof(cell));
-
   trn_cell_conflux_switch_set_seqnum(switch_cell, (uint32_t)relative_seq);
 
-  if (trn_cell_conflux_switch_encode(cell.payload, RELAY_PAYLOAD_SIZE_MAX,
-                                     switch_cell) < 0) {
+  ssize_t len = trn_cell_conflux_switch_encode(
+                                payload, RELAY_PAYLOAD_SIZE_MAX,
+                                switch_cell);
+  if (len < 0) {
     log_warn(LD_BUG, "Failed to encode conflux switch cell");
     ret = false;
     goto end;
   }
 
   /* Send the switch command to the new hop */
-  // TODO CGO XXXXX Fix bug #41056.
   if (CIRCUIT_IS_ORIGIN(send_circ)) {
     relay_send_command_from_edge(0, send_circ,
                                RELAY_COMMAND_CONFLUX_SWITCH,
-                               (const char*)cell.payload,
-                               RELAY_PAYLOAD_SIZE_MAX,
+                               (const char*)payload, len,
                                TO_ORIGIN_CIRCUIT(send_circ)->cpath->prev);
   } else {
     relay_send_command_from_edge(0, send_circ,
                                RELAY_COMMAND_CONFLUX_SWITCH,
-                               (const char*)cell.payload,
-                                 RELAY_PAYLOAD_SIZE_MAX,
-                                 NULL);
+                               (const char*)payload, len,
+                               NULL);
   }
 
 end: