tor

The Tor anonymity network
git clone https://git.dasho.dev/tor.git
Log | Files | Refs | README | LICENSE
commit 4ff65ee4cb8ed6d93cad1ae770659708a389746c
parent a3915d48f6d3f3959298e16edd20a8835ab2ae20
Author: Mike Perry <mikeperry-git@torproject.org>
Date:   Thu,  6 Nov 2025 21:32:41 +0000

Bug 41037: Directly check conflux state before use on control port.

Avoids fragile assert checks due to arbitrary control port events.

Diffstat:

Msrc/feature/control/control_fmt.c | 18+++++++++++++-----


1 file changed, 13 insertions(+), 5 deletions(-)

diff --git a/src/feature/control/control_fmt.c b/src/feature/control/control_fmt.c
@@ -163,17 +163,25 @@ circuit_describe_status_for_controller(origin_circuit_t *circ)
 
   /* Add conflux id and RTT info, for accurate circuit display. The RTT is
    * provided to indicate the primary (preferred) circuit of a set
-   * (which will have the lowest current RTT). */
-  if (CIRCUIT_IS_CONFLUX(TO_CIRCUIT(circ))) {
+   * (which will have the lowest current RTT).
+   *
+   * NOTE: Because control port events can happen at arbitrary points, we
+   * must specificially check exactly what we need from the conflux object.
+   * We cannot use CIRCUIT_IS_CONFLUX() because this event may have been
+   * emitted while a set was under partial construction or teardown. */
+  if (TO_CIRCUIT(circ)->conflux || TO_CIRCUIT(circ)->conflux_pending_nonce) {
     const uint8_t *nonce = conflux_get_nonce(TO_CIRCUIT(circ));
     tor_assert(nonce);
 
-    /* The conflux nonce is sensitive data. Only output half of it. */
+    /* The conflux nonce is an ephemeral cryptographic secret that if known in
+     * full, enables confirmation or data injection on a set by adding new legs
+     * at an exit from elsewhere. Only output half of it. */
     smartlist_add_asprintf(descparts, "CONFLUX_ID=%s",
                            hex_str((const char *)nonce, DIGEST256_LEN/2));
 
-    /* If we have a conflux object, the circ is linked and has an RTT */
-    if (TO_CIRCUIT(circ)->conflux) {
+    /* If we have a conflux object that is fully linked, the circ has an RTT */
+    if (TO_CIRCUIT(circ)->conflux &&
+        TO_CIRCUIT(circ)->purpose == CIRCUIT_PURPOSE_CONFLUX_LINKED) {
       uint64_t circ_rtt = conflux_get_circ_rtt(TO_CIRCUIT(circ));
       if (circ_rtt) {
         smartlist_add_asprintf(descparts, "CONFLUX_RTT=%" PRIu64, circ_rtt);