Opened 9 years ago

Closed 9 years ago

Last modified 7 years ago

#2629 closed defect (fixed)

tor client crashed when using bridges

Reported by: shitlei Owned by:
Priority: Medium Milestone: Tor: 0.2.2.x-final
Component: Core Tor/Tor Version:
Severity: Keywords: tor-client
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Tor client may crash when using 10 or more bridges,and this phenomenon exists in the latest version (0.2.22-alpha).i tracked the source code and found that in  function  any_pending_bridge_descriptor_fetches() in src/or/circuitbuild.c, pointer conn->linked_conn may be NULL and the code didn't check it.here's a dirty fix:

diff --git a/src/or/circuitbuild.c b/src/or/circuitbuild.c
index cfc6b0d..9d428db 100644
--- a/src/or/circuitbuild.c
+++ b/src/or/circuitbuild.c
@@ -4748,7 +4748,8 @@ any_pending_bridge_descriptor_fetches(void)

conn->purpose == DIR_PURPOSE_FETCH_SERVERDESC &&
TO_DIR_CONN(conn)->router_purpose == ROUTER_PURPOSE_BRIDGE &&
!conn->marked_for_close &&

  •        conn->linked && !conn->linked_conn->marked_for_close) {

+        conn->linked &&
+        (conn_linked_conn && !conn->linked_conn->marked_for_close) ){

log_debug(LD_DIR, "found one: %s", conn->address);
return 1;

}

Child Tickets

Change History (4)

comment:1 Changed 9 years ago by nickm

Status: newneeds_review

comment:2 Changed 9 years ago by nickm

Resolution: fixed
Status: needs_reviewclosed

Hm. I think this is worth fixing, but I think it could be a bug in 0.2.1.x too. At least, 0.2.1.x has the same code, and I don't recall any huge changes to the way we handled linked connections in 0.2.2.x.

(I also went through the code to make sure that everywhere else we use linked_conn->foo, we first check that linked_conn is set. Other than this, we seem to be in the clear.)

Merging to 0.2.1.x and later. Thanks!

comment:3 Changed 7 years ago by nickm

Keywords: tor-client added

comment:4 Changed 7 years ago by nickm

Component: Tor ClientTor
Note: See TracTickets for help on using tickets.