commit 5b69536ee24cf23baf003ffcabe2483dd9c2a014
parent 99ce40807a3a8ed5c7275051e11c70abda0809c3
Author: Nick Mathewson <nickm@torproject.org>
Date: Thu, 17 Apr 2025 19:31:36 -0400
More tolerance for packaging too-long payloads
(There are _lots_ of places that build a payload that would be long enough
to fit into a V0 cell, then pass it to relay_send_command_from_edge.)
Diffstat:
1 file changed, 12 insertions(+), 3 deletions(-)
diff --git a/src/core/or/relay.c b/src/core/or/relay.c
@@ -623,8 +623,16 @@ relay_send_command_from_edge_,(streamid_t stream_id, circuit_t *orig_circ,
{
relay_cell_fmt_t cell_format = relay_msg_get_format(circ, cpath_layer);
relay_msg_t msg;
- tor_assert(payload_len <=
- relay_cell_max_payload_size(cell_format, relay_command));
+ if (payload_len >
+ relay_cell_max_payload_size(cell_format, relay_command)) {
+ // TODO CGO: Rate-limit this?
+ log_warn(LD_BUG, "Tried to send a command %d of length %d in "
+ "a v%d cell, from %s:%d",
+ (int)relay_command, (int)payload_len, (int)cell_format,
+ filename, lineno);
+ circuit_mark_for_close(circ, END_CIRC_REASON_INTERNAL);
+ return -1;
+ }
msg.relay_cell_proto = cell_format;
msg.command = relay_command;
@@ -637,7 +645,8 @@ relay_send_command_from_edge_,(streamid_t stream_id, circuit_t *orig_circ,
msg_body_len = msg.length;
if (relay_msg_encode_cell(cell_format, &msg, &cell) < 0) {
- // This already gave a BUG warning, so no need to log.
+ // We already called IF_BUG_ONCE in relay_msg_encode_cell.
+ circuit_mark_for_close(circ, END_CIRC_REASON_INTERNAL);
return -1;
}
}
