Opened 12 years ago

Last modified 7 years ago

#458 closed defect (Fixed)

router_add_to_routerlist returns >=0 but ri gets freed

Reported by: arma Owned by:
Priority: Low Milestone:
Component: Core Tor/Tor Version: 0.2.0.2-alpha
Severity: Keywords:
Cc: arma Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Running r10828 inside valgrind:

==21699== Invalid read of size 1
==21699== at 0x80C6C2D: routerlist_descriptors_added (routerlist.c:2752)
==21699== by 0x80C7169: router_load_routers_from_string (routerlist.c:2870)
==21699== by 0x80C077D: router_reload_router_list_impl (routerlist.c:566)
==21699== by 0x80C0818: router_reload_router_list (routerlist.c:594)
==21699== by 0x80A7A2E: do_main_loop (main.c:1330)
==21699== by 0x80A8F26: tor_main (main.c:2606)
==21699== by 0x80DD9D9: main (tor_main.c:28)
==21699== Address 0x51EC212 is 154 bytes inside a block of size 172 free'd
==21699== at 0x401CFA5: free (vg_replace_malloc.c:233)
==21699== by 0x80C3992: routerinfo_free (routerlist.c:1761)
==21699== by 0x80C51FF: routerlist_replace (routerlist.c:2195)
==21699== by 0x80C6053: router_add_to_routerlist (routerlist.c:2484)
==21699== by 0x80C712F: router_load_routers_from_string (routerlist.c:2841)
==21699== by 0x80C077D: router_reload_router_list_impl (routerlist.c:566)
==21699== by 0x80C0818: router_reload_router_list (routerlist.c:594)
==21699== by 0x80A7A2E: do_main_loop (main.c:1330)
==21699== by 0x80A8F26: tor_main (main.c:2606)
==21699== by 0x80DD9D9: main (tor_main.c:28)

I only notice this now because I recently changed the call to
control_event_descriptors_changed() so we also look at the ri's when
we're not listening for certain controller events -- see
routerlist_descriptors_added().

I notice there are a few other places that call router_add_to_routerlist()
and expect ri to be usable if it doesn't fail -- including in dirserv.c,
which might explain some of these "routerlist has a freed routerinfo" bugs
we keep seeing on authorities.

So the first question is: what's the chain of events that causes
router_add_to_routerlist() to return >=0 yet to free the routerinfo?

[Automatically added by flyspray2trac: Operating System: All]

Child Tickets

Change History (3)

comment:1 Changed 12 years ago by arma

I think r10832 and r10833 solve this one.

comment:2 Changed 12 years ago by arma

flyspray2trac: bug closed.

comment:3 Changed 7 years ago by nickm

Component: Tor RelayTor
Note: See TracTickets for help on using tickets.