[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #18050 [Tor]: Relay submitted a descriptor with 0 DirPort due to a self-test race condition



#18050: Relay submitted a descriptor with 0 DirPort due to a self-test race
condition
-------------------------------------------------+-------------------------
 Reporter:  teor                                 |          Owner:
     Type:  defect                               |         Status:  new
 Priority:  Medium                               |      Milestone:  Tor:
Component:  Tor                                  |  0.2.8.x-final
 Severity:  Normal                               |        Version:  Tor:
 Keywords:  026-maybe-backport, 027-maybe-       |  0.2.6.10
  backport                                       |     Resolution:
Parent ID:                                       |  Actual Points:
  Sponsor:                                       |         Points:
-------------------------------------------------+-------------------------

Comment (by teor):

 Replying to [comment:3 starlight]:
 > Looked briefly at local logs and the logic.  Current design appears to
 always publish a descriptor with DirPort=0 during boot.
 `run_scheduled_events()` publishes a changed descriptor once every 60
 seconds, and the typical boot sequence runs the DirPort reachability at
 slightly over 60 seconds from start.
 > ...
 > When this happens just before the consensus vote time at minute 50 of
 each hour, the race condition identified by Teor occurs.  Reexamined half
 of the above events and in all cases problem descriptor was published at
 46-49 minutes.
 >
 > Perhaps `consider_publishable_server()` should be adjusted to delay the
 descriptor until the DirPort test is complete.

 I agree.

 This sounds somewhat similar to #17782. When its address changes, tor
 doesn't test ORPort reachability. So it will go ahead and publish a
 descriptor with the wrong address, as long as an old address was reachable
 at some point.

 We should make tor wait for ORPort and DirPort reachability every time:
 * it starts up,
 * the config changes address, ORPort, or DirPort.

 There's a drawback here, which is that tor won't ever publish a descriptor
 if only the ORPort is reachable (perhaps due to a broken firewall config).
 I think we should have a timeout after which tor warns, then publishes the
 descriptor without the DirPort. Given the time ranges we're seeing, the
 timeout should be at least 20 minutes.

 (Relays with no DirPort will still be used for directory requests once
 #12538 is merged.)

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18050#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs