Opened 7 years ago

Closed 7 years ago

Last modified 7 years ago

#6774 closed defect (fixed)

segfault in entry_guards_parse_state()

Reported by: asn Owned by:
Priority: Low Milestone: Tor: 0.2.3.x-final
Component: Core Tor/Tor Version:
Severity: Keywords: tor-client
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

I got:

Program received signal SIGSEGV, Segmentation fault.
entry_guards_parse_state (state=state@entry=0x5555558e4840, set=set@entry=0, msg=0x7fffffffe1f0) at src/or/circuitbuild.c:4913
4913                           node->first_hops = hop_cnt;

It seems that if there is an EntryGuardPathBias line without an EntryGuard line before it, it will try to do node->first_hops = hop_cnt with node being NULL, since node is instantiated when the first EntryGuard line is encountered.

Other codepaths in the same function, like EntryGuardDownSince, check for !node but it seems that EntryGuardPathBias doesn't. Checking for !node might be a sufficient fix.

Child Tickets

Change History (7)

comment:1 Changed 7 years ago by asn

Why my state file was left in such a condition is another question. Unfortunately, I didn't keep a copy of my state file.

comment:2 Changed 7 years ago by nickm

Priority: normalminor

Branch "bug6774" in my public repo has the obvious fix. Is this worth putting on 0.2.3? It isn't a security issue afaict, since an attacker with write access to your state file has plenty of other ways to screw you.

comment:3 Changed 7 years ago by nickm

Status: newneeds_review

comment:4 in reply to:  2 Changed 7 years ago by asn

Replying to nickm:

Branch "bug6774" in my public repo has the obvious fix. Is this worth putting on 0.2.3? It isn't a security issue afaict, since an attacker with write access to your state file has plenty of other ways to screw you.

Patch looks good to me.

Doesn't look like a security issue to me either. The extreme case would be if there is a specific action that a guard node can take and cause this state corruption so that you can't bootstrap tor. I'm sure that I didn't edit my state file, so there must be some kind of bug that leaves tor with this broken state.

comment:5 Changed 7 years ago by nickm

Resolution: fixed
Status: needs_reviewclosed

arma the Klingon Programmer says "merge it! Perhaps it is a good day to die!"

Merged into 0.2.3 and master.

comment:6 Changed 7 years ago by nickm

Keywords: tor-client added

comment:7 Changed 7 years ago by nickm

Component: Tor ClientTor
Note: See TracTickets for help on using tickets.