Opened 6 years ago

Closed 6 years ago

#11275 closed defect (fixed)

memory leak in router_append_dirobj_signature()

Reported by: arma Owned by:
Priority: Medium Milestone: Tor: 0.2.5.x-final
Component: Core Tor/Tor Version:
Severity: Keywords: tor-relay 024-backport
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

On moria1, I see these memory leaks, all seemingly related:

==7518== 320 bytes in 1 blocks are definitely lost in loss record 17 of 32
==7518==    at 0x4C244E8: malloc (vg_replace_malloc.c:236)
==7518==    by 0x501A87: tor_malloc_ (util.c:162)
==7518==    by 0x46B9FA: router_get_dirobj_signature (routerparse.c:667)
==7518==    by 0x46BB0B: router_append_dirobj_signature (routerparse.c:704)
==7518==    by 0x4585EE: extrainfo_dump_to_string (router.c:2684)
==7518==    by 0x45A067: router_rebuild_descriptor (router.c:1947)
==7518==    by 0x45A4E2: router_get_my_routerinfo (router.c:1707)
==7518==    by 0x45A517: router_get_my_descriptor (router.c:1719)
==7518==    by 0x45C7F6: init_keys (router.c:909)
==7518==    by 0x4A6420: set_options (config.c:1459)
==7518==    by 0x4AA297: options_init_from_string (config.c:4185)
==7518==    by 0x4AA558: options_init_from_torrc (config.c:4037)
==7518== 320 bytes in 1 blocks are definitely lost in loss record 18 of 32
==7518==    at 0x4C244E8: malloc (vg_replace_malloc.c:236)
==7518==    by 0x501A87: tor_malloc_ (util.c:162)
==7518==    by 0x46B9FA: router_get_dirobj_signature (routerparse.c:667)
==7518==    by 0x46BB0B: router_append_dirobj_signature (routerparse.c:704)
==7518==    by 0x4585EE: extrainfo_dump_to_string (router.c:2684)
==7518==    by 0x45A067: router_rebuild_descriptor (router.c:1947)
==7518==    by 0x45A4E2: router_get_my_routerinfo (router.c:1707)
==7518==    by 0x45A5B8: router_my_exit_policy_is_reject_star (router.c:1657)
==7518==    by 0x4D4D24: directory_fetches_from_authorities (dirserv.c:1224)
==7518==    by 0x433078: update_consensus_networkstatus_fetch_time (networkstatus.c:818)                  
==7518==    by 0x4351D9: networkstatus_set_current_consensus (networkstatus.c:1329)                       
==7518==    by 0x43575F: router_reload_consensus_networkstatus (networkstatus.c:143)                      
==7518== 320 bytes in 1 blocks are definitely lost in loss record 19 of 32
==7518==    at 0x4C244E8: malloc (vg_replace_malloc.c:236)
==7518==    by 0x501A87: tor_malloc_ (util.c:162)
==7518==    by 0x46B9FA: router_get_dirobj_signature (routerparse.c:667)
==7518==    by 0x46BB0B: router_append_dirobj_signature (routerparse.c:704)
==7518==    by 0x4585EE: extrainfo_dump_to_string (router.c:2684)
==7518==    by 0x45A067: router_rebuild_descriptor (router.c:1947)
==7518==    by 0x45A4E2: router_get_my_routerinfo (router.c:1707)
==7518==    by 0x4BC328: connection_or_send_netinfo (connection_or.c:2160)
==7518==    by 0x487651: channel_tls_handle_var_cell (channeltls.c:1437)
==7518==    by 0x4BD908: connection_or_process_cells_from_inbuf (connection_or.c:2037)                    
==7518==    by 0x4B38D7: connection_handle_read (connection.c:3171)
==7518==    by 0x42E975: conn_read_callback (main.c:735)
==7518== 320 bytes in 1 blocks are definitely lost in loss record 20 of 32
==7518==    at 0x4C244E8: malloc (vg_replace_malloc.c:236)
==7518==    by 0x501A87: tor_malloc_ (util.c:162)
==7518==    by 0x46B9FA: router_get_dirobj_signature (routerparse.c:667)
==7518==    by 0x46BB0B: router_append_dirobj_signature (routerparse.c:704)
==7518==    by 0x4585EE: extrainfo_dump_to_string (router.c:2684)
==7518==    by 0x45A067: router_rebuild_descriptor (router.c:1947)
==7518==    by 0x45A4E2: router_get_my_routerinfo (router.c:1707)
==7518==    by 0x45A922: router_orport_found_reachable (router.c:1205)
==7518==    by 0x48CC94: onionskin_answer (circuitbuild.c:1298)
==7518==    by 0x4C9EAF: connection_cpu_process_inbuf (cpuworker.c:370)
==7518==    by 0x4B38D7: connection_handle_read (connection.c:3171)
==7518==    by 0x42E975: conn_read_callback (main.c:735)
==7518== 320 bytes in 1 blocks are definitely lost in loss record 21 of 32
==7518==    at 0x4C244E8: malloc (vg_replace_malloc.c:236)
==7518==    by 0x501A87: tor_malloc_ (util.c:162)
==7518==    by 0x46B9FA: router_get_dirobj_signature (routerparse.c:667)
==7518==    by 0x46BB0B: router_append_dirobj_signature (routerparse.c:704)
==7518==    by 0x4585EE: extrainfo_dump_to_string (router.c:2684)
==7518==    by 0x45A067: router_rebuild_descriptor (router.c:1947)
==7518==    by 0x45AA10: consider_publishable_server (router.c:1471)
==7518==    by 0x42FA59: second_elapsed_callback (main.c:1424)
==7518==    by 0x52C9343: event_base_loop (in /usr/lib/libevent-1.4.so.2.1.3)
==7518==    by 0x42C2B0: do_main_loop (main.c:2009)
==7518==    by 0x42D034: tor_main (main.c:2882)
==7518==    by 0x5EFEC8C: (below main) (libc-start.c:228)

Child Tickets

Change History (10)

comment:1 Changed 6 years ago by arma

And then there's this one, which might be related or might be different:

==7518== 1,920 bytes in 6 blocks are definitely lost in loss record 30 of 32
==7518==    at 0x4C244E8: malloc (vg_replace_malloc.c:236)
==7518==    by 0x501A87: tor_malloc_ (util.c:162)
==7518==    by 0x46B9FA: router_get_dirobj_signature (routerparse.c:667)
==7518==    by 0x46BB0B: router_append_dirobj_signature (routerparse.c:704)
==7518==    by 0x44A6F9: rend_encode_v2_descriptors (rendcommon.c:635)
==7518==    by 0x44C4B4: upload_service_descriptor (rendservice.c:2867)
==7518==    by 0x44CA17: rend_consider_services_upload (rendservice.c:3223)
==7518==    by 0x42F77C: second_elapsed_callback (main.c:1536)
==7518==    by 0x52C9343: event_base_loop (in /usr/lib/libevent-1.4.so.2.1.3)
==7518==    by 0x42C2B0: do_main_loop (main.c:2009)
==7518==    by 0x42D034: tor_main (main.c:2882)
==7518==    by 0x5EFEC8C: (below main) (libc-start.c:228)

comment:2 Changed 6 years ago by arma

Sure seems like router_append_dirobj_signature() wants to be freeing sig in all cases before returning.

comment:3 Changed 6 years ago by arma

(if that theory is true, it looks like this issue applies to release-0.2.4 as well)

comment:4 Changed 6 years ago by arma

Status: newneeds_review

Suggested patch in my bug11275 branch. Still needs a changelog entry. Also untested.

comment:5 Changed 6 years ago by arma

moria1 survived running with this patch for a while. The leak did not reoccur (but I haven't checked to see how rare it is).

comment:6 Changed 6 years ago by nickm

Keywords: tor-relay 024-backport added

I made a "bug11275_024" branch with a changes file, against 0.2.4.

Merged it to 0.2.5; noting for possible backport.

comment:7 Changed 6 years ago by nickm

Milestone: Tor: 0.2.5.x-finalTor: 0.2.4.x-final

comment:8 Changed 6 years ago by nickm

Recommendation: no backport. This doesn't happen often enough to hurt anybody.

comment:9 Changed 6 years ago by arma

"no backport" is ok with me

comment:10 Changed 6 years ago by nickm

Milestone: Tor: 0.2.4.x-finalTor: 0.2.5.x-final
Resolution: fixed
Status: needs_reviewclosed

Okay. Closing as fixed-in-0.2.5.x.

Note: See TracTickets for help on using tickets.