Opened 7 years ago

Closed 7 years ago

Last modified 7 years ago

#6029 closed defect (not a bug)

relay crash in libcrypto (tor_tls_handshake)

Reported by: ln5 Owned by:
Priority: High Milestone: Tor: 0.2.3.x-final
Component: Core Tor/Tor Version: Tor: 0.2.3.15-alpha
Severity: Keywords: tor-relay
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description (last modified by Sebastian)

This is on a very fast relay (>200 mbit/s). Started happening day
before yesterday without any known changes to tor, libevent or
openssl. Reproducable within hours it seems.

$ uname -a
Linux tor 2.6.32-38-server #83-Ubuntu SMP Wed Jan 4 11:26:59 UTC 2012 x86_64 GNU/Linux

libevent is 2.0.19-stable.

Jun 01 08:49:46.000 [notice] Tor 0.2.3.15-alpha (git-2513a3e959b61612) opening log file.
Jun 01 08:49:46.000 [notice] This version of OpenSSL has a known-good EVP counter-mode implementation. Using it.
Jun 01 08:49:46.000 [notice] OpenSSL OpenSSL 1.0.1c 10 May 2012 looks like version 0.9.8m or later; I will try SSL_OP to enable renegotiation
Jun 01 08:49:46.000 [notice] Your Tor server's identity key fingerprint is 'ndnr1 6330CCF8FEED2EF9B12FCF6688E2577C65522BA4'

(gdb) bt full
#0  0x00007ffff6a02acd in write () from /lib/libc.so.6
No symbol table info available.
#1  0x00007ffff71a1035 in sock_write () from /home/linus/usr/lib/libcrypto.so.1.0.0
No symbol table info available.
#2  0x00007ffff719f1a7 in BIO_write () from /home/linus/usr/lib/libcrypto.so.1.0.0
No symbol table info available.
#3  0x00007ffff71a2389 in buffer_ctrl () from /home/linus/usr/lib/libcrypto.so.1.0.0
No symbol table info available.
#4  0x00007ffff74b6307 in ssl3_accept () from /home/linus/usr/lib/libssl.so.1.0.0
No symbol table info available.
#5  0x00007ffff74c2b05 in ssl23_get_client_hello () from /home/linus/usr/lib/libssl.so.1.0.0
No symbol table info available.
#6  0x00007ffff74c33e5 in ssl23_accept () from /home/linus/usr/lib/libssl.so.1.0.0
No symbol table info available.
#7  0x000000000052e3f9 in tor_tls_handshake (tls=0x7fffdc774b60) at tortls.c:1743
        r = 0
        oldstate = 24576
        __PRETTY_FUNCTION__ = "tor_tls_handshake"
        __func__ = "tor_tls_handshake"
#8  0x00000000004bd04e in connection_tls_continue_handshake (conn=0x7fffdc4507a0)
    at connection_or.c:1182
        result = 7
        __PRETTY_FUNCTION__ = "connection_tls_continue_handshake"
        __func__ = "connection_tls_continue_handshake"
#9  0x00000000004bcf01 in connection_tls_start_handshake (conn=0x7fffdc4507a0, receiving=1)
    at connection_or.c:1139
        __PRETTY_FUNCTION__ = "connection_tls_start_handshake"
        __func__ = "connection_tls_start_handshake"
#10 0x00000000004a7b5b in connection_init_accepted_conn (conn=0x7fffdc4507a0, listener=0x7ac900)
    at connection.c:1278
No locals.
#11 0x00000000004a7a7f in connection_handle_listener_read (conn=0x7ac900, new_type=4)
    at connection.c:1256
        news = 314
        newconn = 0x7fffdc4507a0
        addrbuf = {ss_family = 2, __ss_align = 0, __ss_padding = '\000' <repeats 111 times>}
        remote = 0x7fffffffddd0
        remotelen = 16
        options = 0x7a9c80
        __PRETTY_FUNCTION__ = "connection_handle_listener_read"
        __func__ = "connection_handle_listener_read"
#12 0x00000000004aad5e in connection_handle_read_impl (conn=0x7ac900) at connection.c:2627
        max_to_read = -1
        try_to_read = 140737354119250
        before = 140737488346864
        n_read = 0
        socket_error = 0
        __PRETTY_FUNCTION__ = "connection_handle_read_impl"
        __func__ = "connection_handle_read_impl"
#13 0x00000000004ab14e in connection_handle_read (conn=0x7ac900) at connection.c:2721
        res = 32767
#14 0x000000000040a578 in conn_read_callback (fd=8, event=2, _conn=0x7ac900) at main.c:702
        conn = 0x7ac900
        __PRETTY_FUNCTION__ = "conn_read_callback"
#15 0x00007ffff771010c in event_process_active_single_queue (base=0x7ac110, flags=<value optimized out>)
    at event.c:1346
        ev = 0x7ac9d0
#16 event_process_active (base=0x7ac110, flags=<value optimized out>) at event.c:1416
        activeq = 0x7ab9b0
        i = 0
#17 event_base_loop (base=0x7ac110, flags=<value optimized out>) at event.c:1617
        n = 1
        evsel = 0x7ffff7940d80
        tv = {tv_sec = 0, tv_usec = 53123}
        tv_p = <value optimized out>
        res = <value optimized out>
        retval = <value optimized out>
        __func__ = "event_base_loop"
#18 0x000000000040cf32 in do_main_loop () at main.c:1924
        loop_result = 0
        now = 1338533388
        __PRETTY_FUNCTION__ = "do_main_loop"
        __func__ = "do_main_loop"
#19 0x000000000040e4a7 in tor_main (argc=3, argv=0x7fffffffe1f8) at main.c:2619
        result = 0
        __PRETTY_FUNCTION__ = "tor_main"
#20 0x0000000000408b34 in main (argc=3, argv=0x7fffffffe1f8) at tor_main.c:30
No locals.

Child Tickets

Change History (11)

comment:1 in reply to:  description Changed 7 years ago by Sebastian

Description: modified (diff)

Replying to ln5:

This is on a very fast relay (>200 mbit/s). Started happening day
before yesterday without any known changes to tor, libevent or
openssl. Reproducable within hours it seems.

$ uname -a
Linux tor 2.6.32-38-server #83-Ubuntu SMP Wed Jan 4 11:26:59 UTC 2012 x86_64 GNU/Linux

libevent is 2.0.19-stable.

Jun 01 08:49:46.000 [notice] Tor 0.2.3.15-alpha (git-2513a3e959b61612) opening log file.
Jun 01 08:49:46.000 [notice] This version of OpenSSL has a known-good EVP counter-mode implementation. Using it.
Jun 01 08:49:46.000 [notice] OpenSSL OpenSSL 1.0.1c 10 May 2012 looks like version 0.9.8m or later; I will try SSL_OP to enable renegotiation
Jun 01 08:49:46.000 [notice] Your Tor server's identity key fingerprint is 'ndnr1 6330CCF8FEED2EF9B12FCF6688E2577C65522BA4'

(gdb) bt full
#0 0x00007ffff6a02acd in write () from /lib/libc.so.6
No symbol table info available.
#1 0x00007ffff71a1035 in sock_write () from /home/linus/usr/lib/libcrypto.so.1.0.0
No symbol table info available.
#2 0x00007ffff719f1a7 in BIO_write () from /home/linus/usr/lib/libcrypto.so.1.0.0
No symbol table info available.
#3 0x00007ffff71a2389 in buffer_ctrl () from /home/linus/usr/lib/libcrypto.so.1.0.0
No symbol table info available.
#4 0x00007ffff74b6307 in ssl3_accept () from /home/linus/usr/lib/libssl.so.1.0.0
No symbol table info available.
#5 0x00007ffff74c2b05 in ssl23_get_client_hello () from /home/linus/usr/lib/libssl.so.1.0.0
No symbol table info available.
#6 0x00007ffff74c33e5 in ssl23_accept () from /home/linus/usr/lib/libssl.so.1.0.0
No symbol table info available.
#7 0x000000000052e3f9 in tor_tls_handshake (tls=0x7fffdc774b60) at tortls.c:1743

r = 0
oldstate = 24576
PRETTY_FUNCTION = "tor_tls_handshake"
func = "tor_tls_handshake"

#8 0x00000000004bd04e in connection_tls_continue_handshake (conn=0x7fffdc4507a0)

at connection_or.c:1182

result = 7
PRETTY_FUNCTION = "connection_tls_continue_handshake"
func = "connection_tls_continue_handshake"

#9 0x00000000004bcf01 in connection_tls_start_handshake (conn=0x7fffdc4507a0, receiving=1)

at connection_or.c:1139

PRETTY_FUNCTION = "connection_tls_start_handshake"
func = "connection_tls_start_handshake"

#10 0x00000000004a7b5b in connection_init_accepted_conn (conn=0x7fffdc4507a0, listener=0x7ac900)

at connection.c:1278

No locals.
#11 0x00000000004a7a7f in connection_handle_listener_read (conn=0x7ac900, new_type=4)

at connection.c:1256

news = 314
newconn = 0x7fffdc4507a0
addrbuf = {ss_family = 2, ss_align = 0, ss_padding = '\000' <repeats 111 times>}
remote = 0x7fffffffddd0
remotelen = 16
options = 0x7a9c80
PRETTY_FUNCTION = "connection_handle_listener_read"
func = "connection_handle_listener_read"

#12 0x00000000004aad5e in connection_handle_read_impl (conn=0x7ac900) at connection.c:2627

max_to_read = -1
try_to_read = 140737354119250
before = 140737488346864
n_read = 0
socket_error = 0
PRETTY_FUNCTION = "connection_handle_read_impl"
func = "connection_handle_read_impl"

#13 0x00000000004ab14e in connection_handle_read (conn=0x7ac900) at connection.c:2721

res = 32767

#14 0x000000000040a578 in conn_read_callback (fd=8, event=2, _conn=0x7ac900) at main.c:702

conn = 0x7ac900
PRETTY_FUNCTION = "conn_read_callback"

#15 0x00007ffff771010c in event_process_active_single_queue (base=0x7ac110, flags=<value optimized out>)

at event.c:1346

ev = 0x7ac9d0

#16 event_process_active (base=0x7ac110, flags=<value optimized out>) at event.c:1416

activeq = 0x7ab9b0
i = 0

#17 event_base_loop (base=0x7ac110, flags=<value optimized out>) at event.c:1617

n = 1
evsel = 0x7ffff7940d80
tv = {tv_sec = 0, tv_usec = 53123}
tv_p = <value optimized out>
res = <value optimized out>
retval = <value optimized out>
func = "event_base_loop"

#18 0x000000000040cf32 in do_main_loop () at main.c:1924

loop_result = 0
now = 1338533388
PRETTY_FUNCTION = "do_main_loop"
func = "do_main_loop"

#19 0x000000000040e4a7 in tor_main (argc=3, argv=0x7fffffffe1f8) at main.c:2619

result = 0
PRETTY_FUNCTION = "tor_main"

#20 0x0000000000408b34 in main (argc=3, argv=0x7fffffffe1f8) at tor_main.c:30
No locals.

comment:2 Changed 7 years ago by nickm

Milestone: Tor: 0.2.3.x-final
Version: Tor: 0.2.3.15-alpha

Weird! Since the only way to get a crash in write() is to give it a bad buffer or an overlong length... and since the arguments to BIO_write here are coming from toe BIO_CTRL_FLUSH case of buffer_ctrl in openssl's crypto/bio/bf_buff.c ... something has to be screwed up in the BIO internals.

If the crash is always in the same place, I'd suspect some kind of use-after-free thing , or something else that could allow a BIO specifically to become corrupt. It would help to debug this if you can have gdb dump out *in tor_tls_handshake) the values of *tls, *tls->ssl , and *tls->ssl->wbio.

If the crash isn't always in the same place, I'd suspect a memory corruption issue.

comment:3 in reply to:  2 ; Changed 7 years ago by ln5

Replying to nickm:

If the crash isn't always in the same place, I'd suspect a memory corruption issue.

Forgot to mention that.

First two crashes, before rebuilding with symbols and w/o gcc hardening options:

May 31 04:24:44 tor kernel: [9547180.260104] tor[32318]: segfault at 7f328fff8000 ip 00007f32b876e5d8 sp 00007fffd3eaac60 error 4 in libcrypto.so.1.0.0[7f32b86f8000+1b2000]
Jun 1 02:24:13 tor kernel: [9626147.616888] tor[20728]: segfault at 7fc521325000 ip 00007fc53f4fd5dd sp 00007fffc4c89130 error 4 in libcrypto.so.1.0.0[7fc53f487000+1b2000]

Same offset in libcrypto.so.

In the last crash, I unfortunately don't know where libcrypto was
loaded (when running tor in gdb). Strangely enough, nm -g
libcrypto.so shows nothing with a higher offset than '0000000000179320
R RSA_version'. I don't understand this.

I will 'continue' in gdb after the next crash and hopefully get the
kernel segfault printout.

I just realised that this machine is a bit unhappy about something
related to TCP. The kernel said

WARNING: at /build/buildd/linux-2.6.32/net/ipv4/tcp_input.c:2919 tcp_fastretrans_alert+0x3f9/0xd90()

yesterday (not at the time of a tor crash). Maybe I should i) check
RAM and ii) benchmark TCP throughput excluding tor before we spend
more time on this.

comment:4 Changed 7 years ago by ln5

Another crash looks like this.

{{{{
#0 0x00007ffff6a02acd in write () from /lib/libc.so.6
#1 0x00007ffff71a1035 in sock_write () from /home/linus/usr/lib/libcrypto.so.1.0.0
#2 0x00007ffff719f1a7 in BIO_write () from /home/linus/usr/lib/libcrypto.so.1.0.0
#3 0x00007ffff74bf7f4 in ssl3_write_pending () from /home/linus/usr/lib/libssl.so.1.0.0
#4 0x00007ffff74c00ef in ssl3_write_bytes () from /home/linus/usr/lib/libssl.so.1.0.0
#5 0x000000000052e17f in tor_tls_write (tls=0x7fffec7d0d10, [scrubbed /ln], n=3296) at tortls.c:1715
#6 0x00000000004706e8 in flush_chunk_tls (tls=0x7fffec7d0d10, buf=0x7fffed08c040,

chunk=0x7fffe5779ca0, sz=3296, buf_flushlen=0x7fffed0098f0) at buffers.c:836

#7 0x0000000000470d99 in flush_buf_tls (tls=0x7fffec7d0d10, buf=0x7fffed08c040, flushlen=16384,

buf_flushlen=0x7fffed0098f0) at buffers.c:921

#8 0x00000000004abda4 in connection_handle_write_impl (conn=0x7fffed0098c0, force=0)

at connection.c:3211

#9 0x00000000004ac216 in connection_handle_write (conn=0x7fffed0098c0, force=0) at connection.c:3312
#10 0x000000000040a751 in conn_write_callback (fd=4231, events=4, _conn=0x7fffed0098c0) at main.c:735
#11 0x00007ffff771010c in event_process_active_single_queue (base=0x7ac110, flags=<value optimized out>)

at event.c:1346

#12 event_process_active (base=0x7ac110, flags=<value optimized out>) at event.c:1416
#13 event_base_loop (base=0x7ac110, flags=<value optimized out>) at event.c:1617
#14 0x000000000040cf32 in do_main_loop () at main.c:1924
#15 0x000000000040e4a7 in tor_main (argc=3, argv=0x7fffffffe798) at main.c:2619
#16 0x0000000000408b34 in main (argc=3, argv=0x7fffffffe798) at tor_main.c:30

(gdb) up 5
#5 0x000000000052e17f in tor_tls_write (tls=0x7fffec7d0d10, [scrubbed /ln], n=3296) at tortls.c:1715
1715 r = SSL_write(tls->ssl, cp, (int)n);
(gdb) p *tls
$1 = {magic = 1901532529, context = 0x7fffdc57eee0, ssl = 0x7fffedb96b10, socket = 4231,

address = 0x7fffed134a80 "[scrubbed]", state = TOR_TLS_ST_OPEN, isServer = 1, wasV2Handshake = 1,
got_renegotiate = 0, server_handshake_count = 2 '\002', wantwrite_n = 0, last_write_count = 216696,
last_read_count = 31075, negotiated_callback = 0, callback_arg = 0x0}

(gdb) p *tls->ssl
$2 = {version = 769, type = 8192, method = 0x7ffff76f5480, rbio = 0x7fffec22f6b0,

wbio = 0x7fffec22f6b0, bbio = 0x0, rwstate = 2, in_handshake = 0,
handshake_func = 0x7ffff74b57e0 <ssl3_accept>, server = 1, new_session = 0, quiet_shutdown = 0,
shutdown = 0, state = 3, rstate = 240, init_buf = 0x0, init_msg = 0x7fffe5ee3ce4, init_num = 0,
init_off = 0, packet = 0x7fffe4819d83 "\334\377\177", packet_length = 0, s2 = 0x0,
s3 = 0x7fffec192500, d1 = 0x0, read_ahead = 0, msg_callback = 0, msg_callback_arg = 0x0, hit = 0,
param = 0x7fffec760df0, cipher_list = 0x7fffed664a70, cipher_list_by_id = 0x7fffed3247b0,
mac_flags = 0, enc_read_ctx = 0x7fffe5ea5fd0, read_hash = 0x7fffe504ee90, expand = 0x0,
enc_write_ctx = 0x7fffe4ac97e0, write_hash = 0x7fffe4f67790, compress = 0x0, cert = 0x7fffedbe69c0,
sid_ctx_length = 0, sid_ctx = '\000' <repeats 31 times>, session = 0x7fffe46a21b0,
generate_session_id = 0, verify_mode = 1, verify_callback = 0x52a9e6 <always_accept_verify_cb>,
info_callback = 0x52c992 <tor_tls_debug_state_callback>, error = 0, error_code = 0,
psk_client_callback = 0, psk_server_callback = 0, ctx = 0x7fffdc4a0b60, debug = 0, verify_result = 0,
ex_data = {sk = 0x7fffec2a6ad0, dummy = 0}, client_CA = 0x0, references = 1, options = 18153476,
mode = 18, max_cert_list = 102400, first_packet = 0, client_version = 769, max_send_fragment = 16384,
tlsext_debug_cb = 0, tlsext_debug_arg = 0x0, tlsext_hostname = 0x0, servername_done = 0,
tlsext_status_type = -1, tlsext_status_expected = 0, tlsext_ocsp_ids = 0x0, tlsext_ocsp_exts = 0x0,
tlsext_ocsp_resp = 0x0, tlsext_ocsp_resplen = -1, tlsext_ticket_expected = 1,
tlsext_ecpointformatlist_length = 0, tlsext_ecpointformatlist = 0x0,
tlsext_ellipticcurvelist_length = 0, tlsext_ellipticcurvelist = 0x0, tlsext_opaque_prf_input = 0x0,
tlsext_opaque_prf_input_len = 0, tlsext_session_ticket = 0x0, tls_session_ticket_ext_cb = 0,
tls_session_ticket_ext_cb_arg = 0x0, tls_session_secret_cb = 0, tls_session_secret_cb_arg = 0x0,
initial_ctx = 0x7fffdc4a0b60, next_proto_negotiated = 0x0, next_proto_negotiated_len = 0 '\000',
srtp_profiles = 0x0, srtp_profile = 0x0, tlsext_heartbeat = 0, tlsext_hb_pending = 0,
tlsext_hb_seq = 0, renegotiate = 0, srp_ctx = {SRP_cb_arg = 0x0, TLS_ext_srp_username_callback = 0,

SRP_verify_param_callback = 0, SRP_give_srp_client_pwd_callback = 0, login = 0x0, N = 0x0, g = 0x0,
s = 0x0, B = 0x0, A = 0x0, a = 0x0, b = 0x0, v = 0x0, info = 0x0, strength = 1024, srp_Mask = 0}}

(gdb) p *tls->ssl->wbio
$3 = {method = 0x7ffff74885a0, callback = 0, cb_arg = 0x0, init = 1, shutdown = 0, flags = 0,

retry_reason = 0, num = 4231, ptr = 0x0, next_bio = 0x0, prev_bio = 0x0, references = 1,
num_read = 31075, num_write = 216696, ex_data = {sk = 0x0, dummy = 0}}

}}}}

comment:5 Changed 7 years ago by ln5

(Another try at getting monospaced fonts.)

#0 0x00007ffff6a02acd in write () from /lib/libc.so.6
#1 0x00007ffff71a1035 in sock_write () from /home/linus/usr/lib/libcrypto.so.1.0.0
#2 0x00007ffff719f1a7 in BIO_write () from /home/linus/usr/lib/libcrypto.so.1.0.0
#3 0x00007ffff74bf7f4 in ssl3_write_pending () from /home/linus/usr/lib/libssl.so.1.0.0
#4 0x00007ffff74c00ef in ssl3_write_bytes () from /home/linus/usr/lib/libssl.so.1.0.0
#5 0x000000000052e17f in tor_tls_write (tls=0x7fffec7d0d10, [scrubbed /ln], n=3296) at tortls.c:1715
#6 0x00000000004706e8 in flush_chunk_tls (tls=0x7fffec7d0d10, buf=0x7fffed08c040,

    chunk=0x7fffe5779ca0, sz=3296, buf_flushlen=0x7fffed0098f0) at buffers.c:836
   
#7 0x0000000000470d99 in flush_buf_tls (tls=0x7fffec7d0d10, buf=0x7fffed08c040, flushlen=16384,

    buf_flushlen=0x7fffed0098f0) at buffers.c:921
   
#8 0x00000000004abda4 in connection_handle_write_impl (conn=0x7fffed0098c0, force=0)

    at connection.c:3211
   
#9 0x00000000004ac216 in connection_handle_write (conn=0x7fffed0098c0, force=0) at connection.c:3312
#10 0x000000000040a751 in conn_write_callback (fd=4231, events=4, _conn=0x7fffed0098c0) at main.c:735
#11 0x00007ffff771010c in event_process_active_single_queue (base=0x7ac110, flags=<value optimized
out>)

    at event.c:1346
   
#12 event_process_active (base=0x7ac110, flags=<value optimized out>) at event.c:1416
#13 event_base_loop (base=0x7ac110, flags=<value optimized out>) at event.c:1617
#14 0x000000000040cf32 in do_main_loop () at main.c:1924
#15 0x000000000040e4a7 in tor_main (argc=3, argv=0x7fffffffe798) at main.c:2619
#16 0x0000000000408b34 in main (argc=3, argv=0x7fffffffe798) at tor_main.c:30

(gdb) up 5
#5 0x000000000052e17f in tor_tls_write (tls=0x7fffec7d0d10, [scrubbed /ln], n=3296) at tortls.c:1715
1715 r = SSL_write(tls->ssl, cp, (int)n);
(gdb) p *tls
$1 = {magic = 1901532529, context = 0x7fffdc57eee0, ssl = 0x7fffedb96b10, socket = 4231,

    address = 0x7fffed134a80 "[scrubbed]", state = TOR_TLS_ST_OPEN, isServer = 1, wasV2Handshake = 1,
    got_renegotiate = 0, server_handshake_count = 2 '\002', wantwrite_n = 0, last_write_count =
    216696,
    last_read_count = 31075, negotiated_callback = 0, callback_arg = 0x0}
   
(gdb) p *tls->ssl
$2 = {version = 769, type = 8192, method = 0x7ffff76f5480, rbio = 0x7fffec22f6b0,

    wbio = 0x7fffec22f6b0, bbio = 0x0, rwstate = 2, in_handshake = 0,
    handshake_func = 0x7ffff74b57e0 <ssl3_accept>, server = 1, new_session = 0, quiet_shutdown = 0,
    shutdown = 0, state = 3, rstate = 240, init_buf = 0x0, init_msg = 0x7fffe5ee3ce4, init_num = 0,
    init_off = 0, packet = 0x7fffe4819d83 "\334\377\177", packet_length = 0, s2 = 0x0,
    s3 = 0x7fffec192500, d1 = 0x0, read_ahead = 0, msg_callback = 0, msg_callback_arg = 0x0, hit = 0,
    param = 0x7fffec760df0, cipher_list = 0x7fffed664a70, cipher_list_by_id = 0x7fffed3247b0,
    mac_flags = 0, enc_read_ctx = 0x7fffe5ea5fd0, read_hash = 0x7fffe504ee90, expand = 0x0,
    enc_write_ctx = 0x7fffe4ac97e0, write_hash = 0x7fffe4f67790, compress = 0x0, cert =
    0x7fffedbe69c0,
    sid_ctx_length = 0, sid_ctx = '\000' <repeats 31 times>, session = 0x7fffe46a21b0,
    generate_session_id = 0, verify_mode = 1, verify_callback = 0x52a9e6 <always_accept_verify_cb>,
    info_callback = 0x52c992 <tor_tls_debug_state_callback>, error = 0, error_code = 0,
    psk_client_callback = 0, psk_server_callback = 0, ctx = 0x7fffdc4a0b60, debug = 0, verify_result
    = 0,
    ex_data = {sk = 0x7fffec2a6ad0, dummy = 0}, client_CA = 0x0, references = 1, options = 18153476,
    mode = 18, max_cert_list = 102400, first_packet = 0, client_version = 769, max_send_fragment =
    16384,
    tlsext_debug_cb = 0, tlsext_debug_arg = 0x0, tlsext_hostname = 0x0, servername_done = 0,
    tlsext_status_type = -1, tlsext_status_expected = 0, tlsext_ocsp_ids = 0x0, tlsext_ocsp_exts =
    0x0,
    tlsext_ocsp_resp = 0x0, tlsext_ocsp_resplen = -1, tlsext_ticket_expected = 1,
    tlsext_ecpointformatlist_length = 0, tlsext_ecpointformatlist = 0x0,
    tlsext_ellipticcurvelist_length = 0, tlsext_ellipticcurvelist = 0x0, tlsext_opaque_prf_input =
    0x0,
    tlsext_opaque_prf_input_len = 0, tlsext_session_ticket = 0x0, tls_session_ticket_ext_cb = 0,
    tls_session_ticket_ext_cb_arg = 0x0, tls_session_secret_cb = 0, tls_session_secret_cb_arg = 0x0,
    initial_ctx = 0x7fffdc4a0b60, next_proto_negotiated = 0x0, next_proto_negotiated_len = 0 '\000',
    srtp_profiles = 0x0, srtp_profile = 0x0, tlsext_heartbeat = 0, tlsext_hb_pending = 0,
    tlsext_hb_seq = 0, renegotiate = 0, srp_ctx = {SRP_cb_arg = 0x0, TLS_ext_srp_username_callback =
    0,
   
        SRP_verify_param_callback = 0, SRP_give_srp_client_pwd_callback = 0, login = 0x0, N = 0x0, g
        = 0x0,
        s = 0x0, B = 0x0, A = 0x0, a = 0x0, b = 0x0, v = 0x0, info = 0x0, strength = 1024, srp_Mask =
        0}}
       
(gdb) p *tls->ssl->wbio
$3 = {method = 0x7ffff74885a0, callback = 0, cb_arg = 0x0, init = 1, shutdown = 0, flags = 0,

    retry_reason = 0, num = 4231, ptr = 0x0, next_bio = 0x0, prev_bio = 0x0, references = 1,
    num_read = 31075, num_write = 216696, ex_data = {sk = 0x0, dummy = 0}}

comment:6 Changed 7 years ago by arma

If you run it inside valgrind, it won't handle that level of load. But it might still trigger the bug?

comment:7 Changed 7 years ago by nickm

Okay, that one's in write(), as called from sock_write, which lives in bss_sock.c.

It calls writesocket (an alias for write()) as "write_socket(b->num, in, inl)". in and inl come as arguments from BIO_write(), and are passed in directly as the arguments of BIO_write. Looks like that is called as:

           i=BIO_write(s->wbio,
                   (char *)&(wb->buf[wb->offset]),
                   (unsigned int)wb->left);

If you still have that crash, can you also dump tls->ssl->s3 and tls->ssl->s3->wbuf ?

comment:8 in reply to:  3 Changed 7 years ago by cypherpunks

Replying to ln5:

Maybe I should i) check RAM

So RAM is ok?

comment:9 Changed 7 years ago by ln5

Resolution: not a bug
Status: newclosed

RAM was OK.
Unable to reproduce further.
Closing.

comment:10 Changed 7 years ago by nickm

Keywords: tor-relay added

comment:11 Changed 7 years ago by nickm

Component: Tor RelayTor
Note: See TracTickets for help on using tickets.