Opened 3 years ago

Closed 3 years ago

#22138 closed defect (fixed)

Crash on connecting to address

Reported by: harig Owned by: dgoulet
Priority: High Milestone: Tor: 0.3.1.x-final
Component: Core Tor/Tor Version:
Severity: Normal Keywords: tor-hs, control
Cc: nickm Actual Points:
Parent ID: Points: 0.1
Reviewer: Sponsor:

Description

Tor built from git:master crashes with the following stack on accessing address.

#0  tor_memcmp (a=0x5662880, b=b@entry=0x0, len=len@entry=20) at src/common/di_[ops.c:49 ops.c:49]

  v1 = 17v2 = <optimized out>equal_p = <optimized out>x = 0x5662880 "\217\"\257\335\006\252B8\255\331:\216\246\373»\234e'\021"y = 0x0i = 19retval = 0

#1  0x00000000004dd3c6 in get_desc_id_from_query (hsdir_fp=0x0, rend_data=0x4f57ba0) at src/or/control.c:6934

  fingerprint_sl_idx = <optimized out>fingerprint_sl_len = <optimized out>fingerprint = <optimized out>digest = 0x4f57bd9 "\217\034,\251\245Y\210\262", <incomplete sequence \370\227\027\270>replica = 0desc_id = 0x0

#2  control_event_hs_descriptor_receive_end (action=action@entry=0x7ba4aa <compress_diffs_with+9258> "FAILED",

  onion_address=0x4f57bc8 "g7pz322wcy6jnn4r", rend_data=rend_data@entry=0x4f57ba0, id_digest=id_digest@entry=0x0,reason=reason@entry=0x7746aa <__FUNCTION__.56891+842> "QUERY_NO_HSDIR") at src/or/control.c:7022
    desc_id_field = 0x0reason_field = 0x0desc_id_base32 = "\240\262\212\000\000\000\000\000\360\366\"\000\000\000\000\000@\370\"\000\000\000\000\000T\b\360#\341\270", <incomplete sequence \312>desc_id = 0x0__FUNCTION__ = "control_event_hs_descriptor_receive_end"

#3  0x00000000004dd856 in control_event_hs_descriptor_failed (rend_data=rend_data@entry=0x4f57ba0,

  id_digest=id_digest@entry=0x0, reason=reason@entry=0x7746aa <__FUNCTION__.56891+842> "QUERY_NO_HSDIR")at src/or/control.c:7136
    __FUNCTION__ = "control_event_hs_descriptor_failed"

#4  0x00000000004313d6 in directory_get_from_hs_dir (desc_id=<optimized out>, rend_query=0x4f57ba0, rs_hsdir=<optimized out>)

  at src/or/rendclient.c:727
    hs_dir = <optimized out>hsdir_fp = <optimized out>desc_id_base32 = "r4oczknflgelf6exc64aackbgnmnd4gr"descriptor_cookie_base64 = "\000\224!\001", '\000' <repeats 20 times>, "\001\000\000\000\000\000\000\000\200\234!\001\000\000\000\000T\b\360#\341\270,\312\067ߝ\353V\026<\226\267\221T\000\000\000\000\000x\220"__func__ = "directory_get_from_hs_dir"__FUNCTION__ = "directory_get_from_hs_dir"req = <optimized out>

#5  0x00000000004319b1 in fetch_v2_desc_by_addr (hsdirs=0x0, rend_query=0x4f57ba0) at src/or/rendclient.c:870

  rand_val = <optimized out>chosen_replica = <optimized out>descriptor_id = "\217\034,\251\245Y\210\262\370\227\027\270\000\tA3X\321", <incomplete sequence \360\321>i = 2ret = <optimized out>replicas_left_to_try = {1, 1}tries_left = 1

#6  rend_client_fetch_v2_desc (query=0x4f57ba0, hsdirs=0x0) at src/or/rendclient.c:911

  onion_address = <optimized out>

#7  0x00000000004322e4 in rend_client_refetch_v2_renddesc (rend_query=0x4f57ba0) at src/or/rendclient.c:951

  e = 0x0onion_address = 0x4f57bc8 "g7pz322wcy6jnn4r"__func__ = "rend_client_refetch_v2_renddesc"__FUNCTION__ = "rend_client_refetch_v2_renddesc"

#8  0x00000000004e9173 in connection_dir_about_to_close (dir_conn=dir_conn@entry=0x48bd320) at src/or/directory.c:3071

  conn = 0x48bd320

#9  0x00000000004b85c7 in connection_about_to_close_connection (conn=conn@entry=0x48bd320) at src/or/connection.c:722

  __func__ = "connection_about_to_close_connection"

#10 0x0000000000403dbf in connection_unlink (conn=0x48bd320) at src/or/main.c:350
No locals.
#11 0x0000000000404562 in conn_close_if_marked (i=<optimized out>) at src/or/main.c:906

  conn = <optimized out>retval = <optimized out>

#12 close_closeable_connections () at src/or/main.c:698

  conn = <optimized out>i = 0

#13 0x0000000000594592 in event_base_loop ()
No symbol table info available.
#14 0x0000000000405965 in run_main_loop_once () at src/or/main.c:2560

  loop_result = <optimized out>

#15 run_main_loop_until_done () at src/or/main.c:2614
No locals.
#16 do_main_loop () at src/or/main.c:2527

  __FUNCTION__ = "do_main_loop"__func__ = "do_main_loop"

#17 0x000000000040951f in tor_main (argc=argc@entry=5, argv=argv@entry=0x1207ef0) at src/or/main.c:3683

  result = <optimized out>hMod = <optimized out>__FUNCTION__ = "tor_main"

#18 0x000000000074406c in main (argc=5, argv=0x1207ef0) at src/or/tor_[main.c:34 main.c:34]

  r = <optimized out>

Child Tickets

Change History (3)

comment:1 Changed 3 years ago by dgoulet

Component: Core TorCore Tor/Tor
Keywords: tor-hs control added
Milestone: Tor: 0.3.1.x-final
Owner: set to dgoulet
Points: 0.1
Priority: MediumHigh
Status: newaccepted
Version: Tor: unspecified

comment:2 Changed 3 years ago by dgoulet

Status: acceptedneeds_review

Branch in bug22138_031_01.

Not yet released so no changes file.

comment:3 Changed 3 years ago by nickm

Resolution: fixed
Status: needs_reviewclosed

Sure; this looks safe enough. Merging

Note: See TracTickets for help on using tickets.