Opened 13 years ago

Last modified 7 years ago

#335 closed defect (Fixed)

Malformed extendcircuit from a controller can crash Tor

Reported by: edmanm Owned by:
Priority: Low Milestone:
Component: Core Tor/Tor Version:
Severity: Keywords:
Cc: edmanm Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

If the controller is naughty and doesn't follow the control-spec.txt for EXTENDCIRCUIT, it can crash Tor.
Tested with 0.1.1.23 and 0.1.2.1-alpha.

[edmanm@adrastea:~]$ telnet localhost 9051
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
authenticate
250 OK
extendcircuit 0 pasiphae thorforlife yargh
Connection closed by foreign host.

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00000008
0x00029c78 in handle_control_extendcircuit (conn=0x1588160, len=20457776, body=0x4 <Address 0x4 out of bounds>) at control.c:1751
1751 if (get_purpose(smartlist_get(args,2), 1, &intended_purpose) < 0) {
(gdb) bt
#0 0x00029c78 in handle_control_extendcircuit (conn=0x1588160, len=20457776, body=0x4 <Address 0x4 out of bounds>) at control.c:1751
#1 0x0002d7cc in connection_control_process_inbuf_v1 (conn=0x1588160) at control.c:2417
#2 0x0002e158 in connection_control_process_inbuf (conn=0x1588160) at control.c:2609
#3 0x00020300 in connection_handle_read (conn=0x1588160) at connection.c:1313
#4 0x00040bd4 in conn_read_callback (fd=25165824, event=1, _conn=0xbffff348) at main.c:405
#5 0x00073ba0 in event_base_loop (base=0x500ac0, flags=0) at event.c:256
#6 0x00040830 in tor_main (argc=591304, argv=0xbffff808) at main.c:1164
#7 0x000019ec in _start (argc=3, argv=0xbffff808, envp=0xbffff818) at /SourceCache/Csu/Csu-57.0.82/crt.c:272
#8 0x00001890 in start ()

[Automatically added by flyspray2trac: Operating System: All]

Child Tickets

Change History (2)

comment:1 Changed 13 years ago by arma

flyspray2trac: bug closed.

comment:2 Changed 7 years ago by nickm

Component: Tor ClientTor
Note: See TracTickets for help on using tickets.