Opened 14 years ago

Last modified 7 years ago

#154 closed defect (Fixed)

replicable server crash by control message on win2k

Reported by: rm Owned by: nickm
Priority: Low Milestone:
Component: Core Tor/Tor Version: 0.1.0.8-rc
Severity: Keywords:
Cc: rm Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

I found this while trying to implement the password authentication of the tor control protocol. On Windows 2000 Professional, tor 0.1.0.8-rc, the server can be replicably crashed by the following procedure:

  • set a HashedControlPassword in the torrc
  • start tor
  • open a local tcp connection to the ControlPort
  • send a byte sequence like 00 04 00 07 49 50 51 00 (4 bytes length, message type AUTHENTICATE, any password [in this case "123"], null terminator)

On my machine, the server crashes immediately. Example log:


Jun 04 21:54:35.046 [notice] Tor v0.1.0.8-rc. This is experimental software. Do not rely on it for strong anonymity.
Jun 04 21:54:35.109 [notice] Initialized libevent version 1.1 using method win32
Jun 04 21:54:48.437 [err] crypto_seed_rng(): Can't get CryptoAPI provider [2], error code: 8009000f
Jun 04 21:54:50.625 [notice] router_orport_found_reachable(): Your ORPort is reachable from the outside. Excellent. Publishing server descriptor.
Jun 04 21:54:50.765 [notice] Tor has successfully opened a circuit. Looks like it's working.
Jun 04 21:54:51.406 [notice] directory_handle_command_get(): Client asked for the mirrored directory, but we don't have a good one yet. Sending 503 Dir not available.
Jun 04 21:55:01.703 [err] _tor_malloc(): Out of memory. Dying.


At the time of testing, the machine had >200 MB of physical RAM available, so it's not an actual memory shortage.

Some lines of my torrc:


ControlPort 9696
ClientOnly 1
HashedControlPassword oGd9L4OZ3aBgsMS4044OjH1UDd0tYfh3E1RZZcY=
#CookieAuthentication 1


The rest are just standard settings.

[Automatically added by flyspray2trac: Operating System: Windows 2k/XP]

Child Tickets

Change History (5)

comment:1 Changed 14 years ago by rm

As I just noticed that there are different hash formats, I retested this with a newly generated hash:


HashedControlPassword 16:77786762B677717D605101C2E8ACB60D1019C8714F874871EBF346CC54


Same effect.

comment:2 Changed 14 years ago by nickm

Also, the "CryptoAPI provider" line is very scary--it means that you
aren't getting strong random numbers, and your server is probably not being
secure. Bad.

I'll look more into both of these.

Can you change the logging level to "debug" and run again? It may provide
more useful information to deal with the out-of-memory bug.

Thanks!

comment:3 Changed 14 years ago by nickm

Okay, I have reproduced, traced, and fixed the HashedControlPassword bug.

Now for the CryptoAPI provider one. It seems to be a duplicate of
bug 151, so I'll close this report.

comment:4 Changed 14 years ago by nickm

flyspray2trac: bug closed.

comment:5 Changed 7 years ago by nickm

Component: Tor RelayTor
Note: See TracTickets for help on using tickets.