Opened 9 years ago

Closed 9 years ago

Last modified 8 years ago

#4897 closed defect (fixed)

seg fault in circuit_expire_building

Reported by: arma Owned by:
Priority: High Milestone: Tor: 0.2.3.x-final
Component: Core Tor/Tor Version:
Severity: Keywords: tor-hs
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

#0  0x00000000004704ae in circuit_expire_building () at circuituse.c:559
559           log_info(LD_CIRC,"Marking circ %s:%d:%d (state %d:%s, purpose %d) "
(gdb) where
#0  0x00000000004704ae in circuit_expire_building () at circuituse.c:559
#1  0x000000000040c8cc in run_scheduled_events (timer=<value optimized out>,
    arg=<value optimized out>) at main.c:1416
#2  second_elapsed_callback (timer=<value optimized out>,
    arg=<value optimized out>) at main.c:1636
#3  0x00007f97ea023344 in event_base_loop () from /usr/lib/libevent-1.4.so.2
#4  0x0000000000409fa1 in do_main_loop () at main.c:1924
#5  0x000000000040a2dd in tor_main (argc=<value optimized out>,
    argv=0x7fff65475318) at main.c:2619
#6  0x00007f97e92d7c4d in __libc_start_main (main=<value optimized out>,
    argc=<value optimized out>, ubp_av=<value optimized out>,
    init=<value optimized out>, fini=<value optimized out>,
    rtld_fini=<value optimized out>, stack_end=0x7fff65475308)
    at libc-start.c:228                                   
#7  0x00000000004087c9 in _start ()                       

on moria1 running a hidden service

This was Tor 0.2.3.10-alpha-dev (git-53d88eb1ecf77147)

Child Tickets

Change History (6)

comment:1 Changed 9 years ago by arma

(gdb) print victim
$1 = <value optimized out>
(gdb) print victim->n_conn->_base.address
Cannot access memory at address 0x28
(gdb) print victim->n_conn
Cannot access memory at address 0x28
(gdb) print victim
$2 = <value optimized out>
(gdb) print victim->n_circ_id
Cannot access memory at address 0x30

not so useful.

maybe victim is null?

comment:2 Changed 9 years ago by arma

Priority: normalmajor

comment:3 in reply to:  1 Changed 9 years ago by rransom

Status: newneeds_review

Replying to arma:

maybe victim is null?

If victim were NULL, TO_ORIGIN_CIRCUIT, victim->purpose, and a bunch of code above that block would have segfaulted instead. victim->n_conn must be NULL.

See my bug4897 branch for a fix.

comment:4 Changed 9 years ago by nickm

Resolution: fixed
Status: needs_reviewclosed

Merged; thanks!

comment:5 Changed 8 years ago by nickm

Keywords: tor-hs added

comment:6 Changed 8 years ago by nickm

Component: Tor Hidden ServicesTor
Note: See TracTickets for help on using tickets.