Opened 9 years ago

Closed 9 years ago

Last modified 7 years ago

#2097 closed defect (fixed)

Crash while checking whether directory_crashes_dir_info()

Reported by: nickm Owned by:
Priority: Medium Milestone: Tor: 0.2.2.x-final
Component: Core Tor/Tor Version:
Severity: Keywords:
Cc: rransom Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

rransom found this while testing his patch for bug988. Here's the stack trace:

09:47 < rransom> #0  get_net_param_from_list (net_params=0xb0b0b0b0b0b0b0b, para
m_name=0x4d8880 "refuseunknownexits", default_val=1) at networkstatus.c:2127
09:51 < rransom> #1  0x00000000004959ec in directory_caches_dir_info (options=0x1a66790) at dirserv.c:1217
09:51 < rransom> #2  0x0000000000410b20 in networkstatus_set_current_consensus (consensus=<value optimized out>, flavor=<value optimized out>, flags=<value optimized out>) at networkstatus.c:1734

So set_current_consensus frees the current_consensus, then calls directory_caches_dir_info, which indirectly calls get_net_param_for_list on current_consensus, which has been freed.

Child Tickets

Attachments (1)

fix_along with_2849a95691c0.diff (501 bytes) - added by boboper's secretary 9 years ago.

Download all attachments as: .zip

Change History (8)

comment:1 Changed 9 years ago by nickm

Component: - Select a componentTor Client
Milestone: Tor: 0.2.2.x-final
Status: newneeds_review

See branch bug2097 in my public repository; the bug first manifested in 0.2.2.17-alpha, when we made directory_caches_dir_info() check the refuseunknownexits parameter in the current consensus. My branch is against maint-0.2.2

comment:2 Changed 9 years ago by Sebastian

The fix looks good to me.

This will fail the merge to master. The fix shouldn't be hard, but will want sanity-checking I think.

comment:3 Changed 9 years ago by arma

Yuck.

I had a quick glance at the patch, and it looks plausible.

comment:4 Changed 9 years ago by nickm

Resolution: fixed
Status: needs_reviewclosed

merged to 0.2.2 and master

comment:5 Changed 9 years ago by boboper's secretary

As related to commit that was done during investigate of this bug, Mr.boboper asked to attach completed version for 2849a95691c0.

Changed 9 years ago by boboper's secretary

comment:6 Changed 9 years ago by nickm

Thanks; applied that.

comment:7 Changed 7 years ago by nickm

Component: Tor ClientTor
Note: See TracTickets for help on using tickets.