Possible fix for bug 7212

This is the simplest possible workaround: make it safe to call
circuit_cell_queue_clear() on a non-attached circuit, and make it
safe-but-a-LD_BUG-warning to call update_circuit_on_cmux() on a
non-attached circuit.

 LocalWords:  unstage src Untracked

changes/bug7212

@@ -0,0 +1,6 @@
+  o Major bugfixes (relay):
+    - Fix an assertion failure that could occur when closing a connection
+      with a spliced rendezvous circuit. Fix for bug 7212; bugfix on
+      Tor 0.2.4.4-alpha.
+
+      

src/or/relay.c

@@ -1976,7 +1976,8 @@ cell_queue_pop(cell_queue_t *queue)
  * circuit mux.
  */
 void
-update_circuit_on_cmux(circuit_t *circ, cell_direction_t direction)
+update_circuit_on_cmux_(circuit_t *circ, cell_direction_t direction,
+                        const char *file, int lineno)
 {
   channel_t *chan = NULL;
   or_circuit_t *or_circ = NULL;
@@ -1999,7 +2000,11 @@ update_circuit_on_cmux(circuit_t *circ, cell_direction_t direction)
   cmux = chan->cmux;
 
   /* Cmux sanity check */
-  tor_assert(circuitmux_is_circuit_attached(cmux, circ));
+  if (! circuitmux_is_circuit_attached(cmux, circ)) {
+    log_warn(LD_BUG, "called on non-attachd circuit from %s:%d",
+             file, lineno);
+    return;
+  }
   tor_assert(circuitmux_attached_circuit_direction(cmux, circ) == direction);
 
   assert_cmux_ok_paranoid(chan);
@@ -2334,7 +2339,8 @@ circuit_clear_cell_queue(circuit_t *circ, channel_t *chan)
   cell_queue_clear(queue);
 
   /* Update the cell counter in the cmux */
-  update_circuit_on_cmux(circ, direction);
+  if (chan->cmux && circuitmux_is_circuit_attached(chan->cmux, circ))
+    update_circuit_on_cmux(circ, direction);
 }
 
 /** Fail with an assert if the circuit mux on chan is corrupt

src/or/relay.h

@@ -54,7 +54,10 @@ void append_cell_to_circuit_queue(circuit_t *circ, channel_t *chan,
 void channel_unlink_all_circuits(channel_t *chan);
 int channel_flush_from_first_active_circuit(channel_t *chan, int max);
 void assert_circuit_mux_okay(channel_t *chan);
-void update_circuit_on_cmux(circuit_t *circ, cell_direction_t direction);
+void update_circuit_on_cmux_(circuit_t *circ, cell_direction_t direction,
+                             const char *file, int lineno);
+#define update_circuit_on_cmux(circ, direction) \
+  update_circuit_on_cmux_((circ), (direction), SHORT_FILE__, __LINE__)
 
 int append_address_to_payload(uint8_t *payload_out, const tor_addr_t *addr);
 const uint8_t *decode_address_from_payload(tor_addr_t *addr_out,