Memory corruption in the HS client
This is in git master and hasn't been released.
Here is how the bug is triggered. You download a descriptor of a valid HS. Then restart that HS (thus making the current descriptor obsolete) and retry right away to download the descriptor for that HS. The tor client stops with a segfault in malloc()
(you sometime need couple of tries to trigger the issue).
Now I believe this is a memory corruption of some sort since during the git bisect, I was able to trigger bad free() and other segfaults with tor_memcmp()
in some other non related functions with the same usecase. Bisect gave me this commit as the first bad commit:
commit ab9a0e340728abd96128da726f67b4ccca10ba52
Author: David Goulet <dgoulet@ev0ke.net>
Date: Thu Jun 18 16:09:18 2015 -0400
Add rend failure cache
[...]
That precise commit introduces a memory corruption somewhere somehow, I can't find it for now so I'm filling this ticket. Attached is a debug log (3.3M) of the issue being triggered. It's also quite easy to run tor in gdb and catch the issue.