Merge branch 'maint-0.3.0'

changes/trove-2017-004

@@ -1,8 +1,8 @@
   o Major bugfixes (hidden service, relay, security):
-    - Fix an assertion failure when an hidden service handles a
+    - Fix an assertion failure when a hidden service handles a
       malformed BEGIN cell. This bug resulted in the service crashing
       triggered by a tor_assert(). Fixes bug 22493, tracked as
-      TROVE-2017-004 and as CVE-2017-0375; bugfix on tor-0.3.0.1-alpha.
+      TROVE-2017-004 and as CVE-2017-0375; bugfix on 0.3.0.1-alpha.
       Found by armadev.
 
 

changes/trove-2017-005

@@ -0,0 +1,7 @@
+  o Major bugfixes (hidden service, relay, security):
+    - Fix an assertion failure caused by receiving a BEGIN_DIR cell on
+      a hidden service rendezvous circuit. Fixes bug 22494, tracked as
+      TROVE-2017-005 and CVE-2017-0376; bugfix on 0.2.2.1-alpha. Found
+      by armadev.
+
+

src/or/relay.c

@@ -1636,7 +1636,8 @@ connection_edge_process_relay_cell(cell_t *cell, circuit_t *circ,
                "Begin cell for known stream. Dropping.");
         return 0;
       }
-      if (rh.command == RELAY_COMMAND_BEGIN_DIR) {
+      if (rh.command == RELAY_COMMAND_BEGIN_DIR &&
+          circ->purpose != CIRCUIT_PURPOSE_S_REND_JOINED) {
         /* Assign this circuit and its app-ward OR connection a unique ID,
          * so that we can measure download times. The local edge and dir
          * connection will be assigned the same ID when they are created