Opened 2 years ago

Closed 2 years ago

#22644 closed defect (fixed)

Assert crash with HSPOST and POSTDESCRIPTOR control port commands

Reported by: donncha Owned by: nickm
Priority: High Milestone: Tor: 0.3.2.x-final
Component: Core Tor/Tor Version:
Severity: Normal Keywords: tor-control, crash, 029-backport, 030-backport, 031-backport, review-group-23
Cc: Actual Points: .1
Parent ID: Points: 1
Reviewer: dgoulet Sponsor:

Description

The HSPOST and POSTDESCRIPTOR control port command accept multi-line data. Both of these commands crash when they receive an empty command body.

A trivial test case is as follows:

AUTHENTICATE
+HSPOST 
.

Stacktraces:

Jun 18 19:27:41.000 [err] tor_assertion_failed_(): Bug: ../src/or/control.c:3098: handle_control_postdescriptor: Assertion cp failed; aborting. (on Tor 0.2.8.9 )
Jun 18 19:27:41.000 [err] Bug: Assertion cp failed in handle_control_postdescriptor at ../src/or/control.c:3098. Stack trace: (on Tor 0.2.8.9 )
Jun 18 19:27:41.000 [err] Bug:     tor(log_backtrace+0x42) [0x564171496242] (on Tor 0.2.8.9 )
Jun 18 19:27:41.000 [err] Bug:     tor(tor_assertion_failed_+0x94) [0x5641714a44f4] (on Tor 0.2.8.9 )
Jun 18 19:27:41.000 [err] Bug:     tor(connection_control_process_inbuf+0x279a) [0x5641714602da] (on Tor 0.2.8.9 )
Jun 18 19:27:41.000 [err] Bug:     tor(+0xe81c5) [0x56417144a1c5] (on Tor 0.2.8.9 )
Jun 18 19:27:41.000 [err] Bug:     tor(+0x410f1) [0x5641713a30f1] (on Tor 0.2.8.9 )
Jun 18 19:27:41.000 [err] Bug:     /usr/lib/x86_64-linux-gnu/libevent-2.0.so.5(event_base_loop+0x6a0) [0x7fe33b428420] (on Tor 0.2.8.9 )
Jun 18 19:27:41.000 [err] Bug:     tor(do_main_loop+0x21d) [0x5641713a40bd] (on Tor 0.2.8.9 )
Jun 18 19:27:41.000 [err] Bug:     tor(tor_main+0x1b95) [0x5641713a7675] (on Tor 0.2.8.9 )
Jun 18 19:27:41.000 [err] Bug:     tor(main+0x19) [0x56417139fdc9] (on Tor 0.2.8.9 )
Jun 18 19:27:41.000 [err] Bug:     /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf1) [0x7fe33a5643f1] (on Tor 0.2.8.9 )
Jun 18 19:27:41.000 [err] Bug:     tor(+0x3de1b) [0x56417139fe1b] (on Tor 0.2.8.9 )
[1]    14542 abort      tor -f torrc.local
Jun 18 19:35:43.000 [err] tor_assertion_failed_(): Bug: ../src/common/util.c:316: tor_strndup_: Assertion n < SIZE_T_CEILING failed; aborting. (on Tor 0.2.8.9 )
Jun 18 19:35:43.000 [err] Bug: Assertion n < SIZE_T_CEILING failed in tor_strndup_ at ../src/common/util.c:316. Stack trace: (on Tor 0.2.8.9 )
Jun 18 19:35:43.000 [err] Bug:     tor(log_backtrace+0x42) [0x564aa98a8242] (on Tor 0.2.8.9 )
Jun 18 19:35:43.000 [err] Bug:     tor(tor_assertion_failed_+0x94) [0x564aa98b64f4] (on Tor 0.2.8.9 )
Jun 18 19:35:43.000 [err] Bug:     tor(tor_strndup_+0x91) [0x564aa98b6e01] (on Tor 0.2.8.9 )
Jun 18 19:35:43.000 [err] Bug:     tor(+0x3bef8) [0x564aa97afef8] (on Tor 0.2.8.9 )
Jun 18 19:35:43.000 [err] Bug:     tor(connection_control_process_inbuf+0x1e1f) [0x564aa987195f] (on Tor 0.2.8.9 )
Jun 18 19:35:43.000 [err] Bug:     tor(+0xe81c5) [0x564aa985c1c5] (on Tor 0.2.8.9 )
Jun 18 19:35:43.000 [err] Bug:     tor(+0x410f1) [0x564aa97b50f1] (on Tor 0.2.8.9 )
Jun 18 19:35:43.000 [err] Bug:     /usr/lib/x86_64-linux-gnu/libevent-2.0.so.5(event_base_loop+0x6a0) [0x7f1ea6c60420] (on Tor 0.2.8.9 )
Jun 18 19:35:43.000 [err] Bug:     tor(do_main_loop+0x21d) [0x564aa97b60bd] (on Tor 0.2.8.9 )
Jun 18 19:35:43.000 [err] Bug:     tor(tor_main+0x1b95) [0x564aa97b9675] (on Tor 0.2.8.9 )
Jun 18 19:35:43.000 [err] Bug:     tor(main+0x19) [0x564aa97b1dc9] (on Tor 0.2.8.9 )
Jun 18 19:35:43.000 [err] Bug:     /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf1) [0x7f1ea5d9c3f1] (on Tor 0.2.8.9 )
Jun 18 19:35:43.000 [err] Bug:     tor(+0x3de1b) [0x564aa97b1e1b] (on Tor 0.2.8.9 )
[1]    15378 abort      tor -f torrc.local

Child Tickets

Change History (7)

comment:1 Changed 2 years ago by arma

Milestone: Tor: 0.3.2.x-final

Easily reproduced. Nice!

comment:2 Changed 2 years ago by nickm

Keywords: tor-control crash added
Points: 1
Priority: MediumHigh

comment:3 Changed 2 years ago by nickm

Owner: set to nickm
Status: newaccepted

comment:4 Changed 2 years ago by nickm

Actual Points: .1
Keywords: 029-backport 030-backport 031-backport added
Status: acceptedneeds_review

See branch bug22644_029. I also looked over control.c to make sure there weren't any other instances of doing a memchr and then asserting/assuming it was non-NULL.

Since these are post-authentication crashes, I'm not suggesting that we backport the fixes any farther.

comment:5 Changed 2 years ago by nickm

Keywords: review-group-23 added

Put 0.3.2 needs_review and merge_ready tickets into review-group-23.

comment:6 Changed 2 years ago by dgoulet

Reviewer: dgoulet
Status: needs_reviewmerge_ready

lgtm;

comment:7 Changed 2 years ago by nickm

Resolution: fixed
Status: merge_readyclosed

merged to 029 and forward!

Note: See TracTickets for help on using tickets.