commit 4f1298e4189f8bda8ecf48cf7ff25445698d747a
parent d563d1a4b7adadc104d6e8a3d9b9f4edb1d81828
Author: David Goulet <dgoulet@torproject.org>
Date: Thu, 23 Jun 2022 09:41:54 -0400
cmux: Don't pick a marked for close circuit as active
Fixes #25312
Signed-off-by: David Goulet <dgoulet@torproject.org>
Diffstat:
2 files changed, 13 insertions(+), 2 deletions(-)
diff --git a/changes/ticket25312 b/changes/ticket25312
@@ -0,0 +1,3 @@
+ o Minor bugfixes (circuit):
+ - Fix a tiny window where a circuit can be chosen as active but is marked
+ for close. Fixes bug 25312; bugfix on 0.2.4.4-alpha.
diff --git a/src/core/or/circuitmux_ewma.c b/src/core/or/circuitmux_ewma.c
@@ -35,6 +35,7 @@
#include <math.h>
#include "core/or/or.h"
+#include "core/or/circuit_st.h"
#include "core/or/circuitmux.h"
#include "core/or/circuitmux_ewma.h"
#include "lib/crypt_ops/crypto_rand.h"
@@ -382,10 +383,17 @@ ewma_pick_active_circuit(circuitmux_t *cmux,
pol = TO_EWMA_POL_DATA(pol_data);
- if (smartlist_len(pol->active_circuit_pqueue) > 0) {
+ for (int i = 0; i < smartlist_len(pol->active_circuit_pqueue); i++) {
/* Get the head of the queue */
- cell_ewma = smartlist_get(pol->active_circuit_pqueue, 0);
+ cell_ewma = smartlist_get(pol->active_circuit_pqueue, i);
circ = cell_ewma_to_circuit(cell_ewma);
+ /* Don't send back closed circuit. This is possible because the circuit
+ * is detached from the cmux before the circuit gets freed and not when
+ * marked for close. Because of that, there is a window where a closed
+ * circuit can be picked here. See #25312. */
+ if (circ->marked_for_close) {
+ continue;
+ }
}
return circ;
