commit be751a46e3941d9e6af093a307107db443b2968c
parent 6df27ae9537dbc67846a5025945636b489674f0d
Author: David Goulet <dgoulet@torproject.org>
Date: Thu, 9 Nov 2023 09:14:19 -0500
Merge branch 'ticket40883_048_01' into maint-0.4.8
Diffstat:
3 files changed, 18 insertions(+), 2 deletions(-)
diff --git a/changes/ticket40883 b/changes/ticket40883
@@ -0,0 +1,4 @@
+ o Major bugfixes (onion service, TROVE-2023-006):
+ - Fix a possible hard assert on a NULL pointer when recording a failed
+ rendezvous circuit on the service side for the MetricsPort. Fixes bug
+ 40883; bugfix on 0.4.8.1-alpha
diff --git a/src/feature/hs/hs_metrics.c b/src/feature/hs/hs_metrics.c
@@ -199,7 +199,12 @@ hs_metrics_update_by_ident(const hs_metrics_key_t key,
{
hs_service_t *service;
- tor_assert(ident_pk);
+ if (!ident_pk) {
+ /* We can end up here in case this is used from a failure/closing path for
+ * which we might not have any identity key attacehed to a circuit or
+ * connection yet. Simply don't assume we have one. */
+ return;
+ }
service = hs_service_find(ident_pk);
if (!service) {
diff --git a/src/feature/rend/rendcommon.c b/src/feature/rend/rendcommon.c
@@ -40,7 +40,14 @@ rend_process_relay_cell(circuit_t *circ, const crypt_path_t *layer_hint,
int r = -2;
if (CIRCUIT_IS_ORIGIN(circ)) {
origin_circ = TO_ORIGIN_CIRCUIT(circ);
- if (!layer_hint || layer_hint != origin_circ->cpath->prev) {
+
+ /* Opened onion service circuit receiving cell MUST have an hs_ident as it
+ * is the underlying assumption else we can't process the cell. If this is
+ * the case, we can't recover so close the circuit. */
+ if (BUG(!origin_circ->hs_ident)) {
+ circuit_mark_for_close(circ, END_CIRC_REASON_INTERNAL);
+ origin_circ = NULL;
+ } else if (!layer_hint || layer_hint != origin_circ->cpath->prev) {
log_fn(LOG_PROTOCOL_WARN, LD_APP,
"Relay cell (rend purpose %d) from wrong hop on origin circ",
command);
