Opened 4 months ago

Last modified 3 months ago

#29786 assigned defect

Path bias circuits can still have cells pending

Reported by: mikeperry Owned by: neel
Priority: Medium Milestone: Tor: unspecified
Component: Core Tor/Tor Version:
Severity: Normal Keywords: tor-hs
Cc: neel Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

In #25773, we realized that half-closed connections need to be checked for extra cells when the circuit has been switched to path bias testing. The checks were added to the top of circuit_receive_relay_cell(), by calling pathbias_check_probe_response() to check if the path bias probe was correct, and if not, we call pathbias_count_valid_cells() to check if the cell is from a previous half-closed connection.

In https://github.com/mikeperry-tor/vanguards/issues/37, we learned that path bias circuits can still have a pending cell for onion services. In particular, there can be outstanding cells for RELAY_COMMAND_INTRO_ESTABLISHED, RELAY_COMMAND_RENDEZVOUS_ESTABLISHED, and RELAY_COMMAND_INTRODUCE_ACK, depending on circuit type.

There's sloppy ways to fix this, which are easy (just hack pathbias_count_valid_cells() to allow 1 cell for those circuit types) and precise ways (actually track if the pending cell has been received or not before and after path bias transition).

We should probably fix this the precise way, and just implement the hacky workaround in vanguards for now.

Child Tickets

Change History (3)

comment:1 Changed 3 months ago by nickm

Milestone: Tor: unspecified

comment:2 Changed 3 months ago by neel

Owner: set to neel
Status: newassigned

comment:3 Changed 3 months ago by neel

Cc: neel added
Note: See TracTickets for help on using tickets.