[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #11820 [Obfsproxy]: circuit `NoneType` in obfs3 handshake callbacks
#11820: circuit `NoneType` in obfs3 handshake callbacks
---------------------------+-----------------
Reporter: asn | Owner: asn
Type: defect | Status: new
Priority: normal | Milestone:
Component: Obfsproxy | Version:
Resolution: | Keywords:
Actual Points: | Parent ID:
Points: |
---------------------------+-----------------
Comment (by asn):
So, the exception is partially caused by `Circuit.close()` setting
`self.transport.circuit` to `None`.
It's also partially caused because the callback/errback of the obfs3
handshake don't check that `self.circuit` exists.
I think a sequence of events like this would trigger the bug:
{{{
(1) User connects. Starts obfs3 handshake.
(2) We start parsing handshake and deferToThread().
(3) User disconnects. Circuit is cleared. `self.transport.circuit` is
NULLed.
(4) Our callbacks trigger. They try to access `self.circuit.close()` and
they crash.
}}}
There are at least a few ways to fix this bug:
a) In the beginning of the callback/errback check that `self.circuit`
exists. If it doesn't, return prematurely since the connection is dead
anyway. This will need to become a new rule for transport authors that use
threads.
b) Stop setting the transport circuit to None, and guard for `self.closed`
in the various Circuit methods in case the callback/errback try to access
them while it's closed.
Both solutions seem acceptable to me.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/11820#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs