[tor-bugs] #16823 [Tor]: potential double-free in command_process_create_cell()
Tor Bug Tracker & Wiki
blackhole at torproject.org
Sun Aug 16 01:10:19 UTC 2015
#16823: potential double-free in command_process_create_cell()
-------------------------+-------------------------------------------------
Reporter: isis | Owner:
Type: defect | Status: needs_review
Priority: blocker | Milestone:
Component: Tor | Version: Tor: 0.2.4.10-alpha
Resolution: | Keywords: tor-relay, tor-guard, security,
Actual Points: | 024-backport, 025-backport, 026-backport
Points: | Parent ID:
-------------------------+-------------------------------------------------
Comment (by nickm):
Good catch, but not a real bug at all, I think. Remember the definition
of tor_free:
{{{
/** Release memory allocated by tor_malloc, tor_realloc, tor_strdup, etc.
* Unlike the free() function, tor_free() will still work on NULL
pointers,
* and it sets the pointer value to NULL after freeing it.
*
* This is a macro. If you need a function pointer to release memory from
* tor_malloc(), use tor_free_().
*/
#define tor_free(p) STMT_BEGIN \
if (PREDICT_LIKELY((p)!=NULL)) { \
free(p); \
(p)=NULL; \
} \
STMT_END
}}}
So the first tor_free will set create_cell to NULL, and the second
tor_free will do nothing.
So unless I'm missing something big, this is a programming mistake, but
not actually exploitable. Please let me know if I'm wrong, or downgrade
to "normal priority, no backport" if I'm right?
Thanks!
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/16823#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list