Opened 12 years ago

Last modified 7 years ago

#527 closed defect (Fixed)

double-free in r11851

Reported by: arma Owned by:
Priority: Low Milestone:
Component: Core Tor/Tor Version:
Severity: Keywords:
Cc: arma Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


moria1, running as a v3 authority, dumps core rarely with a glibc complaint:

* glibc detected * double free or corruption (out): 0x00002aaaaec6b500 *
Aborted (core dumped)

Core was generated by `../or/tor -f moria1-orrc'.
Program terminated with signal 6, Aborted.
#0 0x00002b3ce904d07b in ?? ()
(gdb) where
#0 0x00002b3ce904d07b in ?? ()
#1 0x00002b3ce904e84e in ?? ()
#2 0x00007fffc2394590 in ?? ()
#3 0x00007fffc2394488 in ?? ()
#4 0x0000003000000018 in ?? ()
#5 0x00007fffc2394670 in ?? ()
#6 0x00007fffc23945b0 in ?? ()
#7 0x00002b3ce8c67b6f in ?? ()
#8 0x0000000000000000 in ?? ()

Last item in my info-level log was
Oct 12 02:42:13.225 [info] connection_or_check_valid_handshake(): Tried connecti
ng to router at, but identity key was not as expected: wanted

FD00AAFFA74EEFD3797C78A16C0BCEDE0E016B8A but got BED56DA49ECE42B9059369DEB37E39


I don't know how to trigger it.

[Automatically added by flyspray2trac: Operating System: All]

Child Tickets

Change History (4)

comment:1 Changed 12 years ago by arma

Got a real traceback:
(gdb) where
#0 0x00002b51bb19607b in raise () from /lib/
#1 0x00002b51bb19784e in abort () from /lib/
#2 0x00002b51bb1cc6e9 in libc_message () from /lib/
#3 0x00002b51bb1d3253 in _int_free () from /lib/
#4 0x00002b51bb1d32de in free () from /lib/
#5 0x000000000043bda6 in directory_handle_command (conn=0x490c150)

at directory.c:2401

#6 0x000000000043c0a5 in connection_dir_process_inbuf (conn=0x5bc9)

at directory.c:1769

#7 0x0000000000425cf5 in connection_handle_read (conn=0x490c150)

at connection.c:1813

#8 0x00000000004523b0 in conn_read_callback (fd=<value optimized out>,

event=<value optimized out>, _conn=<value optimized out>) at main.c:470

#9 0x00002b51baa8d0e2 in event_base_loop () from /usr/lib/
#10 0x0000000000451fe8 in do_main_loop () at main.c:1388
#11 0x0000000000452167 in tor_main (argc=<value optimized out>,

argv=<value optimized out>) at main.c:1927

#12 0x00002b51bb1834ca in libc_start_main () from /lib/
#13 0x000000000040652a in _start () at ../sysdeps/x86_64/elf/start.S:113

Might be fixed by r11893.

comment:2 Changed 12 years ago by nickm

The r11893 fix looks quite likely to work.

comment:3 Changed 12 years ago by arma

flyspray2trac: bug closed.
It hasn't happened again. Good enough for me.

comment:4 Changed 7 years ago by nickm

Component: Tor RelayTor
Note: See TracTickets for help on using tickets.