Opened 5 years ago

Closed 5 years ago

#11649 closed defect (fixed)

Memory leak when parsing broken microdescriptors

Reported by: nickm Owned by:
Priority: High Milestone: Tor: 0.2.5.x-final
Component: Core Tor/Tor Version:
Severity: Keywords: tor-client 024-backport 023-backport memory-leak valgrind
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

When we're parsing microdescriptors, we don't clear the dynamically allocated part of the tokens after parsing. This can leak memory if the microdescriptors are badly formed.

This can enable a comparatively slow denial of service (on the order of several MB per MD download request made to a hostile source), and needs to be patched.

Found as a needle in the haystack of #11618.

Child Tickets

Change History (4)

comment:1 Changed 5 years ago by nickm

Status: newneeds_review

I have fixed this in 65575b0755f64d21d59532bf58e6c27e14086bbb, in 0.2.3, 0.2.4, and 0.2.5. (I meant to make a new branch, but accidentally pushed to master). Please have a look before we close this.

comment:2 Changed 5 years ago by cypherpunks

tokens allocated from memarea's space, if memarea_clear(area) not frees allocated memory (is it some tokens allocated not by memarea funcs?) then why memarea_drop_all can? Then why memleak on failure only?
It's no memleak or memleak for success parsing too. What am I missed?

Found.

Last edited 5 years ago by cypherpunks (previous) (diff)

comment:3 Changed 5 years ago by arma

I looked at it briefly and it looks plausible. This parsing stuff was your code though so you'll be better at knowing its implications than me. :)

comment:4 Changed 5 years ago by nickm

Resolution: fixed
Status: needs_reviewclosed

ok, nothing seems explodey, and the patch has been merged. Closing this ticket.

Note: See TracTickets for help on using tickets.