Opened 6 years ago

Closed 6 years ago

#14031 closed defect (fixed)

use after freed

Reported by: MegaManSec Owned by:
Priority: Low Milestone: Tor: 0.2.6.x-final
Component: Core Tor/Tor Version:
Severity: Keywords: tor-tests
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:



1409 channel_write_cell(ch, cell);
(this frees cell)
1417 tt_ptr_op(q->u.fixed.cell, ==, cell);

this uses cell.

Child Tickets

Change History (7)

comment:1 Changed 6 years ago by nickm

Component: - Select a componentTor
Keywords: tor-tests added
Milestone: Tor: 0.2.6.x-final
Status: newneeds_information

Did you spot this with some static analysis tool? And does the latest Tor master branch have the same problem? I think I fixed this with 808e2b856bd77fa9b431272a6f37596655fd5945.

(Note that the tt_ptr_op call uses the address of cell, but not the cell itself).

comment:2 Changed 6 years ago by MegaManSec


Yes, with Coverity.

It is present in the master branch of the git repo.


comment:3 Changed 6 years ago by nickm

Should be fixed in eda5cebd6c334c3e6fa82c6623f33592a8f77e60, I hope.

comment:4 Changed 6 years ago by MegaManSec

Cool, thanks.

How about this?:


  1. alias: Assigning: rp_nickname = intro->u.v0.rp. rp_nickname now points to byte 0 of intro->u.v0.rp (which consists of 20 bytes).

1531 else rp_nickname = (const char *)(intro->u.v0.rp);

CID 12172 (#1 of 1): Out-of-bounds access (OVERRUN)6. overrun-buffer-val: Overrunning buffer pointed to by rp_nickname of 20 bytes by passing it to a function which accesses it at byte offset 40. [show details]
1533 node = node_get_by_nickname(rp_nickname, 0);


comment:5 Changed 6 years ago by nickm

That's a false positive, but a scary one. If you've got a suggested fix, that would rock.

comment:6 Changed 6 years ago by nickm

(Also, we also have a coverity scan account, so you don't need to send us all the stuff coverity tells you.)

comment:7 Changed 6 years ago by nickm

Resolution: fixed
Status: needs_informationclosed
Note: See TracTickets for help on using tickets.