[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[tor-bugs] #9288 [Tor]: Invalid memory read in `pt_configure_remaining_proxies()`
#9288: Invalid memory read in `pt_configure_remaining_proxies()`
--------------------+-------------------------------------------------------
Reporter: asn | Owner:
Type: defect | Status: new
Priority: normal | Milestone: Tor: 0.2.5.x-final
Component: Tor | Version:
Keywords: | Parent:
Points: | Actualpoints:
--------------------+-------------------------------------------------------
{{{
void
pt_configure_remaining_proxies(void)
...
/* If the proxy is not fully configured, try to configure it
futher. */
if (!proxy_configuration_finished(mp))
configure_proxy(mp);
if (proxy_configuration_finished(mp))
at_least_a_proxy_config_finished = 1;
}}}
If the managed proxy is destroyed during `configure_proxy()` (by going to
`handle_finished_proxy()`), then it is passed to
`proxy_configuration_finished()` which reads `mp->conf_state`. This is an
invalid memory read since the memory area of `mp` was freed.
Not too hard to fix. An inelegant fix would be to make `configure_proxy()`
return an int, that would warn `pt_configure_remaining_proxies()` if it
destroys the managed proxy.
Bug present since 0.2.4.x. Doesn't seem threatening, so we can fix it just
in 0.2.5.x. The bug triggers when something bad happens during the
managed-proxy configuration protocol, and we have to destroy the managed
proxy.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/9288>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs