[tor-bugs] #6984 [Tor Relay]: use after free crash after "eventdns rejected address [scrubbed]"

Tor Bug Tracker & Wiki torproject-admin at torproject.org
Thu Sep 27 17:36:30 UTC 2012 

#6984: use after free crash after "eventdns rejected address [scrubbed]"
-----------------------+----------------------------------------------------
 Reporter:  dhill      |          Owner:               
     Type:  defect     |         Status:  new          
 Priority:  major      |      Milestone:               
Component:  Tor Relay  |        Version:  Tor: 0.2.2.39
 Keywords:             |         Parent:               
   Points:             |   Actualpoints:               
-----------------------+----------------------------------------------------
 Running multiple tor nodes, they crash multiple times per day.  The only
 thing in the logfile is:

 Sep 27 12:08:34.784 [warn] eventdns rejected address [scrubbed]

 I enabled debugging and MALLOC_OPTIONS on OpenBSD and got the following:


 Sep 27 12:08:34.783 [debug] int connection_edge_process_relay_cell(cell_t
 *, circuit_t *, edge_connection_t *, crypt_path_t *)(): circ-level sendme
 at non-o
 , packagewindow 526.
 Sep 27 12:08:34.783 [debug] void circuit_resume_edge_reading(circuit_t *,
 crypt_path_t *)(): resuming
 Sep 27 12:08:34.783 [debug] int
 connection_or_process_cells_from_inbuf(or_connection_t *)(): 53: starting,
 inbuf_datalen 0 (0 pending in tls object).
 Sep 27 12:08:34.783 [debug] void conn_write_callback(int, short, void
 *)(): socket 1117 wants to write.
 Sep 27 12:08:34.784 [debug] int flush_chunk_tls(tor_tls_t *, buf_t *,
 chunk_t *, size_t, size_t *)(): flushed 512 bytes, 0 ready to flush, 0
 remain.
 Sep 27 12:08:34.784 [debug] int connection_handle_write_impl(connection_t
 *, int)(): After TLS write of 512: 0 read, 586 written
 Sep 27 12:08:34.784 [debug] int
 connection_or_flush_from_first_active_circuit(or_connection_t *, int,
 time_t)(): Made a circuit inactive.
 Sep 27 12:08:34.784 [debug] void conn_read_callback(int, short, void *)():
 socket 53 wants to read.
 Sep 27 12:08:34.784 [debug] int connection_read_to_buf(connection_t *,
 ssize_t *, int *)(): 53: starting, inbuf_datalen 0 (0 pending in tls
 object). at_most
 4.
 Sep 27 12:08:34.784 [debug] int connection_read_to_buf(connection_t *,
 ssize_t *, int *)(): After TLS read of 512: 549 read, 0 written
 Sep 27 12:08:34.784 [debug] int
 connection_or_process_cells_from_inbuf(or_connection_t *)(): 53: starting,
 inbuf_datalen 512 (0 pending in tls object).
 Sep 27 12:08:34.784 [debug] int circuit_receive_relay_cell(cell_t *,
 circuit_t *, cell_direction_t)(): Sending away from origin.
 Sep 27 12:08:34.784 [debug] int connection_edge_process_relay_cell(cell_t
 *, circuit_t *, edge_connection_t *, crypt_path_t *)(): Now seen 33189527
 relay ce
 ere (command 1, stream 39854).
 Sep 27 12:08:34.784 [debug] int connection_exit_begin_conn(cell_t *,
 circuit_t *)(): Creating new exit connection.
 Sep 27 12:08:34.784 [debug] int connection_exit_begin_conn(cell_t *,
 circuit_t *)(): about to start the dns_resolve().
 Sep 27 12:08:34.784 [debug] int dns_resolve_impl(edge_connection_t *, int,
 or_circuit_t *, char **)(): Launching [scrubbed].
 Sep 27 12:08:34.784 [info] int launch_resolve(edge_connection_t *)():
 Launching eventdns request for [scrubbed]
 Sep 27 12:08:34.784 [info] eventdns: Resolve requested.
 Sep 27 12:08:34.784 [warn] eventdns rejected address [scrubbed].
 Sep 27 12:08:34.784 [debug] void dns_cancel_pending_resolve(const char
 *)(): Failing all connections waiting on DNS resolve of [scrubbed]
 Sep 27 12:08:34.784 [debug] int connection_edge_end(edge_connection_t *,
 uint8_t)(): No circ to send end on conn (fd -1).
 Sep 27 12:08:34.784 [debug] int relay_send_command_from_edge(streamid_t,
 circuit_t *, uint8_t, const char *, size_t, crypt_path_t *)(): delivering
 3 cell ba
 d.
 Sep 27 12:08:34.784 [debug] void append_cell_to_circuit_queue(circuit_t *,
 or_connection_t *, cell_t *, cell_direction_t, streamid_t)(): Made a
 circuit acti
 Sep 27 12:08:34.784 [debug] void append_cell_to_circuit_queue(circuit_t *,
 or_connection_t *, cell_t *, cell_direction_t, streamid_t)(): Primed a
 buffer.
 Sep 27 12:08:34.784 [debug] int
 connection_or_flush_from_first_active_circuit(or_connection_t *, int,
 time_t)(): Made a circuit inactive.
 Sep 27 12:08:34.784 [debug] int
 connection_or_process_cells_from_inbuf(or_connection_t *)(): 53: starting,
 inbuf_datalen 0 (0 pending in tls object).
 Sep 27 12:08:34.784 [debug] void conn_write_callback(int, short, void
 *)(): socket 1117 wants to write.
 tor in free(): error: chunk is already free 0x202974900
 Abort trap


 I do not have a core.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/6984>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list