Tor wrongly process circuit as connected to n_chan if create cell delivery failed
If circuit_deliver_create_cell()
failed Tor still assumes circuit was attached to n_chan and tries to mess with it later.
While marking circuit by circuit_mark_for_close()
it calls:
if (circ->n_chan) {
circuit_clear_cell_queue(circ, circ->n_chan);
/* Only send destroy if the channel isn't closing anyway */
if (!(circ->n_chan->state == CHANNEL_STATE_CLOSING ||
circ->n_chan->state == CHANNEL_STATE_CLOSED ||
circ->n_chan->state == CHANNEL_STATE_ERROR)) {
channel_send_destroy(circ->n_circ_id, circ->n_chan, reason);
}
circuitmux_detach_circuit(circ->n_chan->cmux, circ);
circuit_set_n_circid_chan(circ, 0, NULL);
}
It is useless, at least, or probably corrupting internal structures.