Opened 8 years ago

Closed 8 years ago

#7422 closed defect (fixed)

tor_cert_decode() memory leak

Reported by: arma Owned by: andrea
Priority: Medium Milestone: Tor: 0.2.4.x-final
Component: Core Tor/Tor Version:
Severity: Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

running on moria1 for a few hours:

==24953== 46,674 (2,560 direct, 44,114 indirect) bytes in 16 blocks are definitely lost in loss record 58 of 60
==24953==    at 0x4C244E8: malloc (vg_replace_malloc.c:236)
==24953==    by 0x226F77: tor_malloc_ (util.c:144)
==24953==    by 0x2285B5: tor_malloc_zero_ (util.c:170)
==24953==    by 0x236539: tor_cert_new (tortls.c:738)
==24953==    by 0x2377D7: tor_cert_decode (tortls.c:789)
==24953==    by 0x18B591: channel_tls_handle_var_cell (channeltls.c:1559)
==24953==    by 0x1CEDCF: connection_or_process_cells_from_inbuf (connection_or.c:1913)
==24953==    by 0x1C0D73: connection_handle_read (connection.c:2747)
==24953==    by 0x11CC30: conn_read_callback (main.c:721)
==24953==    by 0x52C9343: event_base_loop (in /usr/lib/libevent-1.4.so.2.1.3)
==24953==    by 0x11A5B0: do_main_loop (main.c:1987)
==24953==    by 0x11A96C: tor_main (main.c:2699)

This is Tor 0.2.4.5-alpha-dev (git-e1c7d12b1d91eea9) plus the one-liner patch from #7420 that shouldn't matter here.

Child Tickets

Change History (4)

comment:1 Changed 8 years ago by nickm

Status: newneeds_review

Are you seeing any LOG_PROTOCOL_WARNS from channel_tls_process_certs_cell() in channeltls.c? Because it looks like in the ERR() macro in that function, "return" should be "goto err;".

This appears to be a new bug in 0.2.4, based on looking at the code. Branch "bug7422" in my public repository will fix at least one plausible cause of this. If there are more cases, I can't see them right now.

comment:2 Changed 8 years ago by arma

Nov 08 19:25:21.977 [info] channel_tls_process_certs_cell(): Received a bad CERTS cell from 78.105.243.209:9001: Problem setting or checking peer id
Nov 08 19:25:21.978 [info] conn_close_if_marked(): Conn (addr "78.105.243.209", fd 1702, type OR, state 7) marked, but wants to flush 929 bytes. (Marked at src/or/connection_or.c:1170)
Nov 08 19:25:21.979 [info] conn_close_if_marked(): We stalled too much while trying to write 929 bytes to address "78.105.243.209".  If this happens a lot, either something is wrong with your network connection, or something is wrong with theirs. (fd 1702, type OR, state 7, marked at src/or/connection_or.c:1170).
$ grep "Received a bad CERTS cell from " moria1-info|wc -l
11

Other reasons include "Nov 08 21:36:08.930 [info] channel_tls_process_certs_cell(): Received a bad CERTS cell from 103.5.15.89:443: The link certificate didn't match the TLS public key"

"Received undecodable certificate in CERTS cell from %s:%d" seems to never show up.

Any others I should look for?

comment:3 Changed 8 years ago by arma

your fix looks plausible

comment:4 Changed 8 years ago by nickm

Resolution: fixed
Status: needs_reviewclosed

That would explain the leak then; merged and closing. Please reopen if this leak isn't actually fixed.

Note: See TracTickets for help on using tickets.