Opened 12 years ago

Last modified 7 years ago

#436 closed defect (Fixed)

memory clobbered in tor_snprintf?

Reported by: arma Owned by:
Priority: High Milestone:
Component: Core Tor/Tor Version: 0.2.0.0-alpha-dev
Severity: Keywords:
Cc: arma Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

My dir auths seg fault:

#0 0x00002b79edb335b0 in strlen () from /lib/libc.so.6
#1 0x00002b79edb054bc in vfprintf () from /lib/libc.so.6
#2 0x00002b79edb2572a in vsnprintf () from /lib/libc.so.6
#3 0x0000000000471d33 in tor_vsnprintf (str=0x7fffbd8f3ad0 "HTTP/1.0 200 ",

size=4788951, format=0x7fffbd8f3a01 ":\217½ÿ\177", args=0x3)
at compat.c:322

#4 0x0000000000471dd1 in tor_snprintf (str=0x5 <Address 0x5 out of bounds>,

size=4788951, format=0x7fffbd8f3a01 ":\217½ÿ\177") at compat.c:302

#5 0x0000000000434863 in write_http_status_line (conn=0x95b930, status=3,

reason_phrase=0x0) at directory.c:1458

#6 0x0000000000436d49 in directory_handle_command (conn=0x95b930)

at directory.c:1997

#7 0x00000000004378d5 in connection_dir_process_inbuf (conn=0x5)

at directory.c:1430

#8 0x0000000000423d0b in connection_handle_read (conn=0x95b930)

at connection.c:1597

#9 0x0000000000447670 in conn_read_callback (fd=<value optimized out>,

event=<value optimized out>, _conn=<value optimized out>) at main.c:467

#10 0x00002b79ed3e70e2 in event_base_loop () from /usr/lib/libevent-1.1a.so.1
#11 0x00000000004472de in tor_main (argc=<value optimized out>,

argv=<value optimized out>) at main.c:1349

#12 0x00002b79edadd4ca in libc_start_main () from /lib/libc.so.6
#13 0x000000000040634a in _start () at ../sysdeps/x86_64/elf/start.S:113

(gdb) up
#4 0x0000000000471dd1 in tor_snprintf (str=0x5 <Address 0x5 out of bounds>,

size=4788951, format=0x7fffbd8f3a01 ":\217½ÿ\177") at compat.c:302

302 r = tor_vsnprintf(str,size,format,ap);
(gdb) up
#5 0x0000000000434863 in write_http_status_line (conn=0x95b930, status=3,

reason_phrase=0x0) at directory.c:1458

1458 if (tor_snprintf(buf, sizeof(buf), "HTTP/1.0 %d %s\r\n\r\n",
(gdb) up
#6 0x0000000000436d49 in directory_handle_command (conn=0x95b930)

at directory.c:1997

1997 write_http_status_line(conn, 200, "Service descriptor stored");

If I set an assert inside write_http_status_line to make sure that
reason_phrase is non-null, it always is. It's getting clobbered
somewhere inside. Whenever this happens it always ends up with str=0x5
and status=3. So it's a deterministic clobbering, whatever it is.

I've gone hunting in a variety of places; I'll try to document them here
as I remember and re-check them.

One hint: it happens in r10233, but not in r10100. (It's harder to test the
ones in between because they trigger on the other bugs we were hunting.)

[Automatically added by flyspray2trac: Operating System: All]

Child Tickets

Change History (4)

comment:1 Changed 12 years ago by arma

This crash also has happened through dirserv_add_multiple_descriptors (r==2)
in directory.c:
write_http_status_line(conn, 200, msg);

When the crash happens, it knocks down moria1 and moria2 at the same time. So
I can run them on different versions and be pretty confident that one version
is stable and the other not. (That's how I make the claims above.)

It happens pretty quickly and reliably after startup. Say after 5 to 15 minutes.

comment:2 Changed 12 years ago by arma

I ran it under Vidalia, and it didn't complain until the strlen. Curious.

What's worse, I ran with -O0 and -O1 and it didn't crash. The -O2 runs do.

comment:3 Changed 12 years ago by weasel

flyspray2trac: bug closed.
apparently fixed by r10376

comment:4 Changed 7 years ago by nickm

Component: Tor RelayTor
Note: See TracTickets for help on using tickets.