Opened 5 years ago

Closed 5 years ago

#14116 closed defect (fixed)

Tor crashes when "extendcircuit" (control) is given only a circuit ID

Reported by: TvdW Owned by:
Priority: Medium Milestone: Tor: 0.2.6.x-final
Component: Core Tor/Tor Version: Tor: 0.2.5.10
Severity: Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

$ nc 127.0.0.1 1234
protocolinfo
250-PROTOCOLINFO 1
250-AUTH METHODS=HASHEDPASSWORD
250-VERSION Tor="0.2.5.10"
250 OK
authenticate "password"
250 OK
extendcircuit 0
250 EXTENDED 7
extendcircuit 7
<crash>
Jan 05 20:42:13.000 [notice] New control connection opened from 127.0.0.1.
Jan 05 20:42:22.000 [err] tor_assertion_failed_(): Bug: src/common/container.c:389: smartlist_split_string: Assertion str failed; aborting.
Jan 05 20:42:22.000 [err] Bug: Assertion str failed in smartlist_split_string at src/common/container.c:389. Stack trace:
Jan 05 20:42:22.000 [err] Bug:     0   tor.real                            0x001f2f51 log_backtrace + 82
Jan 05 20:42:22.000 [err] Bug:     1   tor.real                            0x0020217d tor_assertion_failed_ + 249
Jan 05 20:42:22.000 [err] Bug:     2   tor.real                            0x001f965c smartlist_split_string + 182
Jan 05 20:42:22.000 [err] Bug:     3   tor.real                            0x00128333 handle_control_extendcircuit + 876
Jan 05 20:42:22.000 [err] Bug:     4   tor.real                            0x0012b927 connection_control_process_inbuf + 3477
Jan 05 20:42:22.000 [err] Bug:     5   tor.real                            0x0010f009 connection_process_inbuf + 353
Jan 05 20:42:22.000 [err] Bug:     6   tor.real                            0x0010c29c connection_handle_read_impl + 954
Jan 05 20:42:22.000 [err] Bug:     7   tor.real                            0x0010c3e9 connection_handle_read + 50
Jan 05 20:42:22.000 [err] Bug:     8   tor.real                            0x00175a09 conn_read_callback + 138
Jan 05 20:42:22.000 [err] Bug:     9   libevent-2.0.5.dylib                0x0044227b event_persist_closure + 605
Jan 05 20:42:22.000 [err] Bug:     10  libevent-2.0.5.dylib                0x00441db4 event_process_active_single_queue + 270
Jan 05 20:42:22.000 [err] Bug:     11  libevent-2.0.5.dylib                0x0044241a event_process_active + 104
Jan 05 20:42:22.000 [err] Bug:     12  libevent-2.0.5.dylib                0x00442a7f event_base_loop + 643
Jan 05 20:42:22.000 [err] Bug:     13  tor.real                            0x00178a27 do_main_loop + 991
Jan 05 20:42:22.000 [err] Bug:     14  tor.real                            0x0017cabd tor_main + 293
Jan 05 20:42:22.000 [err] Bug:     15  tor.real                            0x000b059e main + 58
Jan 05 20:42:22.000 [err] Bug:     16  tor.real                            0x000b0535 start + 53
Abort trap: 6

Child Tickets

Change History (7)

comment:1 Changed 5 years ago by arma

Milestone: Tor: 0.2.5.x-final

Looks like it is indeed this line:

  smartlist_split_string(router_nicknames, smartlist_get(args,1), ",", 0, 0);

where we should be checking if args,1 is actually there first.

Thanks!

comment:2 Changed 5 years ago by nickm

Please have a look at bug14116_025 in my public repository.

I'm happy to merge it into 0.2.5 if you think it's wise, arma.

comment:3 Changed 5 years ago by nickm

Status: newneeds_review

comment:4 Changed 5 years ago by rl1987

The patch looks good to me.

comment:5 Changed 5 years ago by nickm

Merged to master.  Still under consideration for 0.2.5 backport.

comment:6 Changed 5 years ago by arma

The backport looks pretty self-contained. I bet folks like weasel would consider this a quite reasonable thing to backport.

comment:7 Changed 5 years ago by nickm

Milestone: Tor: 0.2.5.x-finalTor: 0.2.6.x-final
Resolution: fixed
Status: needs_reviewclosed

Not backporting these.

Note: See TracTickets for help on using tickets.