[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #30775 [Core Tor/Tor]: Crash in close_or_reextend_intro_circ() (not released)
#30775: Crash in close_or_reextend_intro_circ() (not released)
-------------------------------------------+-------------------------------
Reporter: asn | Owner: (none)
Type: defect | Status: new
Priority: Medium | Milestone: Tor:
| 0.4.1.x-final
Component: Core Tor/Tor | Version:
Severity: Normal | Resolution:
Keywords: tor-hs bug 041-must stability | Actual Points:
Parent ID: #30773 | Points:
Reviewer: | Sponsor:
-------------------------------------------+-------------------------------
Description changed by asn:
Old description:
> There is a UAF in:
>
> {{{
> if (!TO_CIRCUIT(intro_circ)->marked_for_close) {
> circuit_change_purpose(TO_CIRCUIT(intro_circ),
> CIRCUIT_PURPOSE_C_INTRODUCE_ACKED);
> circuit_mark_for_close(TO_CIRCUIT(intro_circ),
> END_CIRC_REASON_FINISHED);
> }
> /* Close the related rendezvous circuit. */
> rend_circ = hs_circuitmap_get_rend_circ_client_side(
> intro_circ->hs_ident->rendezvous_cookie);
> }}}
New description:
There is a UAF in:
{{{
if (!TO_CIRCUIT(intro_circ)->marked_for_close) {
circuit_change_purpose(TO_CIRCUIT(intro_circ),
CIRCUIT_PURPOSE_C_INTRODUCE_ACKED);
circuit_mark_for_close(TO_CIRCUIT(intro_circ),
END_CIRC_REASON_FINISHED);
}
/* Close the related rendezvous circuit. */
rend_circ = hs_circuitmap_get_rend_circ_client_side(
intro_circ->hs_ident->rendezvous_cookie);
}}}
exact same bug class as #30773.
--
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/30775#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs