[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #2954 [Tor Directory Authority]: ides corrupted its cached-microdescs.new file

#2954: ides corrupted its cached-microdescs.new file
----------------------------------------+-----------------------------------
    Reporter:  mikeperry                |       Owner:  nickm             
        Type:  defect                   |      Status:  assigned          
    Priority:  normal                   |   Milestone:  Tor: 0.2.3.x-final
   Component:  Tor Directory Authority  |     Version:                    
  Resolution:                           |    Keywords:                    
      Parent:                           |      Points:                    
Actualpoints:                           |  
----------------------------------------+-----------------------------------

Comment(by cypherpunks):

 microdescs_parse_from_string() could trigger double microdesc_free() for
 the same md.
 {{{
   while (s < eos) {
     start_of_next_microdesc = find_start_of_next_microdesc(s, eos);
     if (!start_of_next_microdesc)
       start_of_next_microdesc = eos;

     if (tokenize_string(area, s, start_of_next_microdesc, tokens,
                         microdesc_token_table, flags)) {
       log_warn(LD_DIR, "Unparseable microdescriptor");
       goto next;
     }

     md = tor_malloc_zero(sizeof(microdesc_t));
     {
       const char *cp = tor_memstr(s, start_of_next_microdesc-s,
                                   "onion-key");
       tor_assert(cp);

       md->bodylen = start_of_next_microdesc - cp;
       if (copy_body)
         md->body = tor_strndup(cp, md->bodylen);
       else
         md->body = (char*)cp;
       md->off = cp - start;
     }

     if ((tok = find_opt_by_keyword(tokens, A_LAST_LISTED))) {
       if (parse_iso_time(tok->args[0], &md->last_listed)) {
         log_warn(LD_DIR, "Bad last-listed time in microdescriptor");
         goto next;
       }
     }
 ...
     md = NULL;
   next:
     microdesc_free(md);

     memarea_clear(area);
     smartlist_clear(tokens);
     s = start_of_next_microdesc;
   }
 }}}
 With series of corrupted microdescs, so that first has broken
 A_LAST_LISTED and next to it has another broken token.

 fixed code could be like:
 {{{
   next:
     microdesc_free(md);
     md = NULL;

     memarea_clear(area);
     smartlist_clear(tokens);
     s = start_of_next_microdesc;
 }}}

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/2954#comment:10>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs