r14871@catbus: nickm | 2007-08-31 10:12:53 -0400

 Check correct circuit type when calling functions from rend_process_relay_cell. Backport candidate.


svn:r11336

ChangeLog

@@ -13,6 +13,10 @@ Changes in version 0.2.0.7-alpha - 2007-??-??
     - Accept LF instead of CRLF on controller, since some software has a
       hard time generating real Internet newlines.
 
+  o Major bugfixes:
+    - Fix possible segfaults in functions called from
+      rend_process_relay_cell().
+
   o Minor bugfixes:
     - When generating information telling us how to extend to a given
       router, do not try to include the nickname if it is absent.  Fixes

src/or/rendcommon.c

@@ -445,7 +445,7 @@ rend_process_relay_cell(circuit_t *circ, int command, size_t length,
 {
   or_circuit_t *or_circ = NULL;
   origin_circuit_t *origin_circ = NULL;
-  int r;
+  int r = -2;
   if (CIRCUIT_IS_ORIGIN(circ))
     origin_circ = TO_ORIGIN_CIRCUIT(circ);
   else
@@ -453,37 +453,48 @@ rend_process_relay_cell(circuit_t *circ, int command, size_t length,
 
   switch (command) {
     case RELAY_COMMAND_ESTABLISH_INTRO:
-      r = rend_mid_establish_intro(or_circ,payload,length);
+      if (or_circ)
+        r = rend_mid_establish_intro(or_circ,payload,length);
       break;
     case RELAY_COMMAND_ESTABLISH_RENDEZVOUS:
-      r = rend_mid_establish_rendezvous(or_circ,payload,length);
+      if (or_circ)
+        r = rend_mid_establish_rendezvous(or_circ,payload,length);
       break;
     case RELAY_COMMAND_INTRODUCE1:
-      r = rend_mid_introduce(or_circ,payload,length);
+      if (or_circ)
+        r = rend_mid_introduce(or_circ,payload,length);
       break;
     case RELAY_COMMAND_INTRODUCE2:
-      r = rend_service_introduce(origin_circ,payload,length);
+      if (origin_circ)
+        r = rend_service_introduce(origin_circ,payload,length);
       break;
     case RELAY_COMMAND_INTRODUCE_ACK:
-      r = rend_client_introduction_acked(origin_circ,payload,length);
+      if (origin_circ)
+        r = rend_client_introduction_acked(origin_circ,payload,length);
       break;
     case RELAY_COMMAND_RENDEZVOUS1:
-      r = rend_mid_rendezvous(or_circ,payload,length);
+      if (or_circ)
+        r = rend_mid_rendezvous(or_circ,payload,length);
       break;
     case RELAY_COMMAND_RENDEZVOUS2:
-      r = rend_client_receive_rendezvous(origin_circ,payload,length);
+      if (origin_circ)
+        r = rend_client_receive_rendezvous(origin_circ,payload,length);
       break;
     case RELAY_COMMAND_INTRO_ESTABLISHED:
-      r = rend_service_intro_established(origin_circ,payload,length);
+      if (origin_circ)
+        r = rend_service_intro_established(origin_circ,payload,length);
       break;
     case RELAY_COMMAND_RENDEZVOUS_ESTABLISHED:
-      r = rend_client_rendezvous_acked(origin_circ,payload,length);
+      if (origin_circ)
+        r = rend_client_rendezvous_acked(origin_circ,payload,length);
       break;
     default:
-      tor_assert(0);
+      tor_fragile_assert();
   }
 
-  (void)r;
+  if (r == -2)
+    log_info(LD_PROTOCOL, "Dropping cell (type %d) for wrong circuit type.",
+             command);
 }
 
 /** Return the number of entries in our rendezvous descriptor cache. */