[tor-bugs] #7756 [Tor]: SIGSEGV in directory_initiate_command_routerstatus()
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Dec 19 02:03:38 UTC 2012
#7756: SIGSEGV in directory_initiate_command_routerstatus()
--------------------+-------------------------------------------------------
Reporter: andrea | Owner:
Type: defect | Status: new
Priority: major | Milestone: Tor: 0.2.4.x-final
Component: Tor | Version: Tor: 0.2.4.6-alpha
Keywords: | Parent:
Points: | Actualpoints:
--------------------+-------------------------------------------------------
In git revision 7a99d26c798a2223c8277e6c358eb76195d18dab, one of
router_pick_directory_server(), router_pick_trusteddirserver() or
router_pick_fallback_dirserver() a bogus pointer to routerstatus_t with
value 0x101; directory_initiate_command_routerstatus() uses it and
ultimately this leads to a SIGSEGV in node_get_by_id(). Stack trace is:
(gdb) bt
#0 0x00007ffff6a660d0 in __memcpy_ssse3 () from /lib64/libc.so.6
#1 0x0000000000417c92 in node_get_mutable_by_id (identity_digest=0x11d
<Address 0x11d out of bounds>)
at src/or/nodelist.c:86
#2 0x0000000000417cce in node_get_by_id (identity_digest=0x11d <Address
0x11d out of bounds>) at src/or/nodelist.c:96
#3 0x00000000004ec5df in directory_initiate_command_routerstatus_rend
(status=0x101, dir_purpose=19 '\023',
router_purpose=0 '\000', indirection=DIRIND_ONEHOP,
resource=0x19602f0
"d/RxIpu2VOF0FTdsgiccXyUps4lCJD/O0jvCDY8elnlv8-RzVVl5rSA9iSAK7ZCuMePyhE5SaMyGi8olZ5InK
+uoQ-R0Pmy59ZRW0IKG6bkqWCrU1YClTN/05D5gMnXa4u/Ns-
R0wkmK8kLTPW8DCdofiu66GNeDa5YGNqPp4b2ApZN+s-R1+MPxgA72EE2UmVUnUlU2"...,
payload=0x0, payload_len=0, if_modified_since=0, rend_query=0x0) at
src/or/directory.c:571
#4 0x00000000004ec823 in directory_initiate_command_routerstatus
(status=0x101, dir_purpose=19 '\023',
router_purpose=0 '\000', indirection=DIRIND_ONEHOP,
resource=0x19602f0
"d/RxIpu2VOF0FTdsgiccXyUps4lCJD/O0jvCDY8elnlv8-RzVVl5rSA9iSAK7ZCuMePyhE5SaMyGi8olZ5InK
+uoQ-R0Pmy59ZRW0IKG6bkqWCrU1YClTN/05D5gMnXa4u/Ns-
R0wkmK8kLTPW8DCdofiu66GNeDa5YGNqPp4b2ApZN+s-R1+MPxgA72EE2UmVUnUlU2"...,
payload=0x0, payload_len=0, if_modified_since=0) at
src/or/directory.c:631
#5 0x00000000004ec392 in directory_get_from_dirserver (dir_purpose=19
'\023', router_purpose=0 '\000',
resource=0x19602f0
"d/RxIpu2VOF0FTdsgiccXyUps4lCJD/O0jvCDY8elnlv8-RzVVl5rSA9iSAK7ZCuMePyhE5SaMyGi8olZ5InK
+uoQ-R0Pmy59ZRW0IKG6bkqWCrU1YClTN/05D5gMnXa4u/Ns-
R0wkmK8kLTPW8DCdofiu66GNeDa5YGNqPp4b2ApZN+s-R1+MPxgA72EE2UmVUnUlU2"...,
pds_flags=18) at src/or/directory.c:502
#6 0x0000000000457e66 in initiate_descriptor_downloads (source=0x0,
purpose=19, digests=0x13ad3a0, lo=828, hi=920,
pds_flags=18) at src/or/routerlist.c:4120
#7 0x00000000004581c3 in launch_descriptor_downloads (purpose=19,
downloadable=0x13ad3a0, source=0x0, now=1355881851)
at src/or/routerlist.c:4239
#8 0x00000000004107d8 in update_microdesc_downloads (now=1355881851) at
src/or/microdesc.c:694
#9 0x00000000004f1332 in connection_dir_client_reached_eof
(conn=0x1469c60) at src/or/directory.c:1833
#10 0x00000000004f3000 in connection_dir_reached_eof (conn=0x1469c60) at
src/or/directory.c:2257
#11 0x00000000004cbfbb in connection_reached_eof (conn=0x1469c60) at
src/or/connection.c:4071
#12 0x00000000004c95ee in connection_handle_read_impl (conn=0x1469c60) at
src/or/connection.c:2847
#13 0x00000000004c9624 in connection_handle_read (conn=0x1469c60) at
src/or/connection.c:2860
#14 0x000000000040a22f in conn_read_callback (fd=20, event=2,
_conn=0x1469c60) at src/or/main.c:722
#15 0x00007ffff772f930 in event_process_active (base=0x7e3c70,
flags=<value optimized out>) at event.c:395
#16 event_base_loop (base=0x7e3c70, flags=<value optimized out>) at
event.c:547
#17 0x000000000040cc37 in do_main_loop () at src/or/main.c:1989
#18 0x000000000040e1f7 in tor_main (argc=3, argv=0x7fffffffe668) at
src/or/main.c:2701
#19 0x0000000000408804 in main (argc=3, argv=0x7fffffffe668) at
src/or/tor_main.c:30
Some other detail:
(gdb) frame 3
#3 0x00000000004ec5df in directory_initiate_command_routerstatus_rend
(status=0x101, dir_purpose=19 '\023',
router_purpose=0 '\000', indirection=DIRIND_ONEHOP,
resource=0x19602f0
"d/RxIpu2VOF0FTdsgiccXyUps4lCJD/O0jvCDY8elnlv8-RzVVl5rSA9iSAK7ZCuMePyhE5SaMyGi8olZ5InK
+uoQ-R0Pmy5
9ZRW0IKG6bkqWCrU1YClTN/05D5gMnXa4u/Ns-
R0wkmK8kLTPW8DCdofiu66GNeDa5YGNqPp4b2ApZN+s-R1+MPxgA72EE2UmVUnUlU2"...,
payload=0x0, payload_len=0, if_modified_since=0, rend_query=0x0) at
src/or/directory.c:571
571 node = node_get_by_id(status->identity_digest);
(gdb) print status
$1 = (const routerstatus_t *) 0x101
(gdb) frame 4
#4 0x00000000004ec823 in directory_initiate_command_routerstatus
(status=0x101, dir_purpose=19 '\023',
router_purpose=0 '\000', indirection=DIRIND_ONEHOP,
resource=0x19602f0
"d/RxIpu2VOF0FTdsgiccXyUps4lCJD/O0jvCDY8elnlv8-RzVVl5rSA9iSAK7ZCuMePyhE5SaMyGi8olZ5InK
+uoQ-R0Pmy5
9ZRW0IKG6bkqWCrU1YClTN/05D5gMnXa4u/Ns-
R0wkmK8kLTPW8DCdofiu66GNeDa5YGNqPp4b2ApZN+s-R1+MPxgA72EE2UmVUnUlU2"...,
payload=0x0, payload_len=0, if_modified_since=0) at
src/or/directory.c:631
631 directory_initiate_command_routerstatus_rend(status,
dir_purpose,
(gdb) print status
$2 = (const routerstatus_t *) 0x101
(gdb) frame 5
#5 0x00000000004ec392 in directory_get_from_dirserver (dir_purpose=19
'\023', router_purpose=0 '\000',
resource=0x19602f0
"d/RxIpu2VOF0FTdsgiccXyUps4lCJD/O0jvCDY8elnlv8-RzVVl5rSA9iSAK7ZCuMePyhE5SaMyGi8olZ5InK
+uoQ-R0Pmy5
9ZRW0IKG6bkqWCrU1YClTN/05D5gMnXa4u/Ns-
R0wkmK8kLTPW8DCdofiu66GNeDa5YGNqPp4b2ApZN+s-R1+MPxgA72EE2UmVUnUlU2"...,
pds_flags=18) at src/or/directory.c:502
502 directory_initiate_command_routerstatus(rs, dir_purpose,
(gdb) print rs
$3 = (const routerstatus_t *) 0x101
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/7756>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list