[tor-bugs] #17041 [Tor]: Memory corruption in the HS client

["Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>]

#17041: Memory corruption in the HS client
------------------------------+------------------------------------
 Reporter:  dgoulet           |          Owner:
     Type:  defect            |         Status:  new
 Priority:  critical          |      Milestone:  Tor: 0.2.7.x-final
Component:  Tor               |        Version:
 Keywords:  SponsorR, tor-hs  |  Actual Points:
Parent ID:                    |         Points:
------------------------------+------------------------------------
 This is in git master and hasn't been released.

 Here is how the bug is triggered. You download a descriptor of a valid HS.
 Then restart that HS (thus making the current descriptor obsolete) and
 retry right away to download the descriptor for that HS. The tor client
 stops with a segfault in `malloc()` (you sometime need couple of tries to
 trigger the issue).

 Now I believe this is a memory corruption of some sort since during the
 git bisect, I was able to trigger bad free() and other segfaults with
 `tor_memcmp()` in some other non related functions with the same usecase.
 Bisect gave me this commit as the first bad commit:

 {{{
 commit ab9a0e340728abd96128da726f67b4ccca10ba52
 Author: David Goulet <dgoulet@xxxxxxxxx>
 Date:   Thu Jun 18 16:09:18 2015 -0400

     Add rend failure cache
 [...]
 }}}

 That precise commit introduces a memory corruption somewhere somehow, I
 can't find it for now so I'm filling this ticket. Attached is a debug log
 (3.3M) of the issue being triggered. It's also quite easy to run tor in
 gdb and catch the issue.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/17041>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs