[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[tor-bugs] #18447 [Tor]: Possible double-free in test_options.c
#18447: Possible double-free in test_options.c
---------------------------+------------------------------------------
Reporter: stevenc99 | Owner:
Type: defect | Status: new
Priority: Low | Milestone:
Component: Tor | Version:
Severity: Normal | Keywords: validate__transproxy FreeBSD
Actual Points: | Parent ID:
Points: | Sponsor:
---------------------------+------------------------------------------
{{{
Hi,
On derivatives of FreeBSD that have net/pfvar.h, (GNU/kFreeBSD in my
case, but there will be others), USE_TRANSPARENT gets defined but
__FreeBSD__ is not. Therefore when running options/validate__transproxy
in src/test/test_options.c:
1080 free_options_test_data(tdata);
tdata remains a dangling pointer. It may be assigned a new value in one
of the following ifdef blocks, which exist for linux, __FreeBSD__,
DARWIN and __OpenBSD__. So in any other case when we reach:
1115 free_options_test_data(tdata);
it would double-free the tdata from earlier. I've attached a simple
patch to NULL that pointer the first time it is freed.
I will follow up with another ticket to enable transproxy on
GNU/kFreeBSD and enable this test to run on it. Thanks.
Backtrace of the crash with -DNO_FORKING:
#0 routerset_free (routerset=0x21) at src/or/routerset.c:411
cp_sl_idx = <optimized out>
cp_sl_len = <optimized out>
cp = <optimized out>
#1 0x000000000061d4e0 in or_options_free (options=0xae1ad0) at
src/or/config.c:800
No locals.
#2 0x000000000051f3e5 in free_options_test_data (td=0xae2750) at
src/test/test_options.c:391
No locals.
#3 0x00000000005231f3 in test_options_validate__transproxy
(ignored=<optimized out>) at src/test/test_options.c:1115
ret = <optimized out>
tdata = 0xae2750
#4 0x00000000005ede8a in testcase_run_bare_ (testcase=0xaab430
<options_tests+400>) at src/ext/tinytest.c:106
env = 0x0
outcome = <optimized out>
#5 testcase_run_one (group=0xaa61e0 <testgroups+512>, testcase=0xaab430
<options_tests+400>) at src/ext/tinytest.c:253
testcase = 0xaab430 <options_tests+400>
group = 0xaa61e0 <testgroups+512>
#6 0x00000000005ee51e in tinytest_main (c=c@entry=3,
v=v@entry=0x7fffffffe5b8, groups=0xaa5fe0 <testgroups>) at
src/ext/tinytest.c:435
i = 32
j = 10
n = <optimized out>
#7 0x000000000040d04b in main (c=3, v=0x7fffffffe5b8) at
src/test/testing_common.c:300
}}}
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18447>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs