[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #6029 [Tor Relay]: relay crash in libcrypto (tor_tls_handshake)

To: undisclosed-recipients:;
Subject: Re: [tor-bugs] #6029 [Tor Relay]: relay crash in libcrypto (tor_tls_handshake)
From: "Tor Bug Tracker & Wiki" <torproject-admin@xxxxxxxxxxxxxx>
Date: Fri, 01 Jun 2012 13:20:36 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Fri, 01 Jun 2012 09:20:47 -0400
In-reply-to: <043.a114963f5b8245809f97c96091db5935@xxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-bugs>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: Tor bug tracker status mails <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
References: <043.a114963f5b8245809f97c96091db5935@xxxxxxxxxxxxxx>
Reply-to: tor-assistants@xxxxxxxxxxxxxx
Sender: tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx

#6029: relay crash in libcrypto (tor_tls_handshake)
-----------------------+----------------------------------------------------
 Reporter:  ln5        |          Owner:                     
     Type:  defect     |         Status:  new                
 Priority:  major      |      Milestone:  Tor: 0.2.3.x-final 
Component:  Tor Relay  |        Version:  Tor: 0.2.3.15-alpha
 Keywords:             |         Parent:                     
   Points:             |   Actualpoints:                     
-----------------------+----------------------------------------------------
Changes (by nickm):

  * version:  => Tor: 0.2.3.15-alpha
  * milestone:  => Tor: 0.2.3.x-final


Comment:

 Weird!  Since the only way to get a crash in write() is to give it a bad
 buffer or an overlong length... and since the arguments to BIO_write here
 are coming from toe BIO_CTRL_FLUSH case of buffer_ctrl in openssl's
 crypto/bio/bf_buff.c ... something has to be screwed up in the BIO
 internals.

 If the crash is always in the same place, I'd suspect some kind of use-
 after-free thing , or something else that could allow a BIO specifically
 to become corrupt.  It would help to debug this if you can have gdb dump
 out *in tor_tls_handshake) the values of *tls, *tls->ssl , and
 *tls->ssl->wbio.

 If the crash isn't always in the same place, I'd suspect a memory
 corruption issue.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/6029#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

References:
- [tor-bugs] #6029 [Tor Relay]: relay crash in libcrypto (tor_tls_handshake)
  - From: Tor Bug Tracker & Wiki

Prev by Author: Re: [tor-bugs] #3036 [Torperf]: Tweak Torperf's .mergedata format and make it the new default
Next by Author: Re: [tor-bugs] #6028 [Tor Relay]: errno_to_orconn_end_reason() spams log when errno == 0
Previous by thread: Re: [tor-bugs] #6029 [Tor Relay]: relay crash in libcrypto (tor_tls_handshake)
Next by thread: Re: [tor-bugs] #6029 [Tor Relay]: relay crash in libcrypto (tor_tls_handshake)
Index(es):
- Author
- Thread