[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #11820 [Obfsproxy]: circuit `NoneType` in obfs3 handshake callbacks



#11820: circuit `NoneType` in obfs3 handshake callbacks
---------------------------+-----------------
     Reporter:  asn        |      Owner:  asn
         Type:  defect     |     Status:  new
     Priority:  normal     |  Milestone:
    Component:  Obfsproxy  |    Version:
   Resolution:             |   Keywords:
Actual Points:             |  Parent ID:
       Points:             |
---------------------------+-----------------

Comment (by asn):

 So, the exception is partially caused by `Circuit.close()` setting
 `self.transport.circuit` to `None`.
 It's also partially caused because the callback/errback of the obfs3
 handshake don't check that `self.circuit` exists.

 I think a sequence of events like this would trigger the bug:
 {{{
 (1) User connects. Starts obfs3 handshake.
 (2) We start parsing handshake and deferToThread().
 (3) User disconnects. Circuit is cleared. `self.transport.circuit` is
 NULLed.
 (4) Our callbacks trigger. They try to access `self.circuit.close()` and
 they crash.
 }}}

 There are at least a few ways to fix this bug:
 a) In the beginning of the callback/errback check that `self.circuit`
 exists. If it doesn't, return prematurely since the connection is dead
 anyway. This will need to become a new rule for transport authors that use
 threads.
 b) Stop setting the transport circuit to None, and guard for `self.closed`
 in the various Circuit methods in case the callback/errback try to access
 them while it's closed.

 Both solutions seem acceptable to me.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/11820#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs