[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #7788 [Tor]: Tor Relay is shutting down every couple of days
#7788: Tor Relay is shutting down every couple of days
-----------------------------------------------------+----------------------
Reporter: lemerange | Owner:
Type: defect | Status: new
Priority: major | Milestone: Tor: unspecified
Component: Tor | Version: Tor: 0.2.3.25
Keywords: crash cpu_worker tor-relay bufferevents | Parent:
Points: | Actualpoints:
-----------------------------------------------------+----------------------
Changes (by Javantea):
* status: needs_information => new
* cc: jvoss@â (added)
Comment:
The crash is a null dereference.
The crash occurs in buffers.c:522 in buf_datalen:
return buf->datalen;
In connection.c, conn->outbuf is null.
old_datalen = buf_datalen(conn->outbuf);
This runs because conn->bufev is null which causes
IF_HAS_BUFFEREVENT(conn, { ... }); to not run.
Here is a stack trace for you.
{{{
Core was generated by `/usr/local/bin/tor -f /etc/tor/torrc'.
Program terminated with signal 11, Segmentation fault.
#0 0x00007f2a40265be4 in buf_datalen (buf=0x0) at buffers.c:522
522 {
(gdb) bt
#0 0x00007f2a40265be4 in buf_datalen (buf=0x0) at buffers.c:522
#1 0x00007f2a4029d7b9 in _connection_write_to_buf_impl (
string=0x7fff8356926e "GET /?sdkjfgaslkgflaksgfia HTTP/1.1\r\nUser-
Agent: Opera/9.80 (Windows NT 5.1) Presto/2.12.388 Version/12.12\r\nHost:
onlinea.ru\r\nAccept: text/html, application/xml;q=0.9,
application/xhtml+xml, image/png"..., len=411,
conn=0x7f2a4315eab0, zlib=0) at connection.c:3412
#2 0x00007f2a40227eac in connection_write_to_buf (conn=0x7f2a4315eab0,
len=<optimized out>,
string=0x7fff8356926e "GET /?sdkjfgaslkgflaksgfia HTTP/1.1\r\nUser-
Agent: Opera/9.80 (Windows NT 5.1) Presto/2.12.388 Version/12.12\r\nHost:
onlinea.ru\r\nAccept: text/html, application/xml;q=0.9,
application/xhtml+xml, image/png"...) at connection.h:104
#3 connection_edge_process_relay_cell (cell=0x7fff83569260,
circ=0x7f2a428f1e30, conn=0x7f2a4315eab0, layer_hint=<optimized out>)
at relay.c:1134
#4 0x00007f2a4022973d in circuit_receive_relay_cell (cell=0x7fff83569260,
circ=0x7f2a428f1e30, cell_direction=CELL_DIRECTION_OUT)
at relay.c:192
#5 0x00007f2a402824ae in command_process_relay_cell (conn=0x7f2a423c5e90,
cell=0x7fff83569260) at command.c:576
#6 command_process_cell (cell=0x7fff83569260, conn=0x7f2a423c5e90) at
command.c:192
#7 0x00007f2a402aa00f in connection_or_process_cells_from_inbuf
(conn=0x7f2a423c5e90) at connection_or.c:1882
#8 0x00007f2a4029b2e5 in connection_handle_read_cb (bufev=<optimized
out>, arg=0x7f2a423c5e90) at connection.c:2969
#9 0x00007f2a3f69541e in ?? () from /usr/lib64/libevent-2.0.so.5
#10 0x00007f2a3f68b99b in event_base_loop () from
/usr/lib64/libevent-2.0.so.5
#11 0x00007f2a4020ea29 in do_main_loop () at main.c:1959
#12 0x00007f2a4021020b in tor_main (argc=<optimized out>,
argv=0x7fff83569968) at main.c:2652
#13 0x00007f2a3e8cf4bd in __libc_start_main () from /lib64/libc.so.6
#14 0x00007f2a4020a1c9 in _start ()
}}}
FYI, bufferevents is default on Gentoo, so we should definitely contact
them and tell them that it is unstable. You should also check whether
other distros enable bufferevents.
I have a patch, if you want it, which fixes this null dereference and an
abort that occurs as well. There are several places where similar code
occurs, so this probably requires a larger effort. I am testing the patch
I wrote right now.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/7788#comment:6>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs