Opened 20 months ago

Last modified 14 months ago

#29786 new defect

Path bias circuits can still have cells pending

Reported by: mikeperry Owned by:
Priority: Medium Milestone: Tor: unspecified
Component: Core Tor/Tor Version:
Severity: Normal Keywords: tor-hs
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


In #25773, we realized that half-closed connections need to be checked for extra cells when the circuit has been switched to path bias testing. The checks were added to the top of circuit_receive_relay_cell(), by calling pathbias_check_probe_response() to check if the path bias probe was correct, and if not, we call pathbias_count_valid_cells() to check if the cell is from a previous half-closed connection.

In, we learned that path bias circuits can still have a pending cell for onion services. In particular, there can be outstanding cells for RELAY_COMMAND_INTRO_ESTABLISHED, RELAY_COMMAND_RENDEZVOUS_ESTABLISHED, and RELAY_COMMAND_INTRODUCE_ACK, depending on circuit type.

There's sloppy ways to fix this, which are easy (just hack pathbias_count_valid_cells() to allow 1 cell for those circuit types) and precise ways (actually track if the pending cell has been received or not before and after path bias transition).

We should probably fix this the precise way, and just implement the hacky workaround in vanguards for now.

Child Tickets

Change History (5)

comment:1 Changed 19 months ago by nickm

Milestone: Tor: unspecified

comment:2 Changed 19 months ago by neel

Owner: set to neel
Status: newassigned

comment:3 Changed 19 months ago by neel

Cc: neel added

comment:4 Changed 14 months ago by neel

Cc: neel removed
Owner: neel deleted

Unassigning myself from this.

comment:5 Changed 14 months ago by neel

Status: assignednew
Note: See TracTickets for help on using tickets.