[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #22417 [Core Tor/Tor]: crash: double free or corruption (fasttop):

#22417: crash: double free or corruption (fasttop):
-------------------------------------------------+-------------------------
 Reporter:  toralf                               |          Owner:
     Type:  defect                               |         Status:
                                                 |  needs_review
 Priority:  High                                 |      Milestone:  Tor:
                                                 |  0.3.1.x-final
Component:  Core Tor/Tor                         |        Version:  Tor:
                                                 |  0.3.1.2-alpha
 Severity:  Normal                               |     Resolution:
 Keywords:  tor-relay regression torrc reload    |  Actual Points:
  crash                                          |
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------
Changes (by Jigsaw52):

 * status:  new => needs_review


Comment:

 I was able to reproduce this and I fixed it. Here is the fix:
 https://github.com/Jigsaw52/tor/tree/fix-22417

 The bug was triggered by including a folder with a non-empty file without
 any values followed by another file.

 The problem is in the config_process_include() function. When this
 function is called to process an included folder, it will call
 config_get_included_list() for each file in the folder.
 config_get_included_list() will write the list of values on the file to
 included_list and the pointer to the last entry of the list to list_last.
 When a file contains no values, both included_list and list_last will be
 null. The bug is that, after calling config_get_included_list(), we update
 the the *next pointer with the following code:

 {{{
     **next = included_list;
     *next = &(*list_last)->next;
 }}}

 When *list_last is null, we're are updating *next with the offset of next
 on the config_line_t struct (0x10 on a 64bit system). The next file on the
 folder will go through the same code and crash when writing to **next.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/22417#comment:11>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs