Memory corruption in the HS client
|Reported by:||dgoulet||Owned by:|
|Severity:||Keywords:||tor-hs, regression, 2016-bug-retrospective|
This is in git master and hasn't been released.
Here is how the bug is triggered. You download a descriptor of a valid HS. Then restart that HS (thus making the current descriptor obsolete) and retry right away to download the descriptor for that HS. The tor client stops with a segfault in malloc() (you sometime need couple of tries to trigger the issue).
Now I believe this is a memory corruption of some sort since during the git bisect, I was able to trigger bad free() and other segfaults with tor_memcmp() in some other non related functions with the same usecase. Bisect gave me this commit as the first bad commit:
commit ab9a0e340728abd96128da726f67b4ccca10ba52 Author: David Goulet <firstname.lastname@example.org> Date: Thu Jun 18 16:09:18 2015 -0400 Add rend failure cache [...]
That precise commit introduces a memory corruption somewhere somehow, I can't find it for now so I'm filling this ticket. Attached is a debug log (3.3M) of the issue being triggered. It's also quite easy to run tor in gdb and catch the issue.
Change History (8)
Changed 20 months ago by dgoulet
comment:1 Changed 20 months ago by nickm
- Keywords regression added
- Priority changed from critical to blocker
comment:5 Changed 20 months ago by nickm
- Resolution set to fixed
- Status changed from needs_review to closed