Opened 10 years ago

Closed 10 years ago

Last modified 8 years ago

#2097 closed defect (fixed)

Crash while checking whether directory_crashes_dir_info()

Reported by: nickm Owned by:
Priority: Medium Milestone: Tor: 0.2.2.x-final
Component: Core Tor/Tor Version:
Severity: Keywords:
Cc: rransom Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

rransom found this while testing his patch for bug988. Here's the stack trace:

09:47 < rransom> #0  get_net_param_from_list (net_params=0xb0b0b0b0b0b0b0b, para
m_name=0x4d8880 "refuseunknownexits", default_val=1) at networkstatus.c:2127
09:51 < rransom> #1  0x00000000004959ec in directory_caches_dir_info (options=0x1a66790) at dirserv.c:1217
09:51 < rransom> #2  0x0000000000410b20 in networkstatus_set_current_consensus (consensus=<value optimized out>, flavor=<value optimized out>, flags=<value optimized out>) at networkstatus.c:1734

So set_current_consensus frees the current_consensus, then calls directory_caches_dir_info, which indirectly calls get_net_param_for_list on current_consensus, which has been freed.

Child Tickets

Attachments (1)

fix_along with_2849a95691c0.diff (501 bytes) - added by boboper's secretary 10 years ago.

Download all attachments as: .zip

Change History (8)

comment:1 Changed 10 years ago by nickm

Component: - Select a componentTor Client
Milestone: Tor: 0.2.2.x-final
Status: newneeds_review

See branch bug2097 in my public repository; the bug first manifested in 0.2.2.17-alpha, when we made directory_caches_dir_info() check the refuseunknownexits parameter in the current consensus. My branch is against maint-0.2.2

comment:2 Changed 10 years ago by Sebastian

The fix looks good to me.

This will fail the merge to master. The fix shouldn't be hard, but will want sanity-checking I think.

comment:3 Changed 10 years ago by arma

Yuck.

I had a quick glance at the patch, and it looks plausible.

comment:4 Changed 10 years ago by nickm

Resolution: fixed
Status: needs_reviewclosed

merged to 0.2.2 and master

comment:5 Changed 10 years ago by boboper's secretary

As related to commit that was done during investigate of this bug, Mr.boboper asked to attach completed version for 2849a95691c0.

Changed 10 years ago by boboper's secretary

comment:6 Changed 10 years ago by nickm

Thanks; applied that.

comment:7 Changed 8 years ago by nickm

Component: Tor ClientTor
Note: See TracTickets for help on using tickets.