[tor-bugs] #4862 [Tor]: Consider disabling dynamic intro point formula (numerology)
Tor Bug Tracker & Wiki
blackhole at torproject.org
Sun Jun 14 13:47:03 UTC 2015
#4862: Consider disabling dynamic intro point formula (numerology)
-------------------------+-------------------------------------------------
Reporter: hellais | Owner:
Type: | Status: needs_revision
enhancement | Milestone: Tor: 0.2.7.x-final
Priority: major | Version: Tor: 0.2.7
Component: Tor | Keywords: needs-proposal, tor-hs,
Resolution: | 027-triaged-1-in, SponsorR
Actual Points: | Parent ID:
Points: |
medium/large |
-------------------------+-------------------------------------------------
Comment (by asn):
I started testing this!
It seems like tor will crash when the HS tries to upload the second HS
descriptor.
It will crash like this:
{{{
#0 0x00005555555b3014 in rend_data_dup (data=0x7fffffffe030) at
src/or/rendcommon.c:1407
#1 0x000055555564c3ff in directory_initiate_command_rend
(_addr=0x555556184480, or_port=20, dir_port=57712, digest=0x555555aa65fc
"\351:~;\371\237>\374.\246\356|D\270\230\340\201\212\322\305\026W2\356\252\033I\237KE\031\332h\251\367f8\356\203\353\236B/\243\253p܌\215\022\210\026\224\062\365\306)#F#",
dir_purpose=176 '\260', dir_purpose at entry=17 '\021', router_purpose=64
'@', router_purpose at entry=0 '\000', indirection=4294958752, resource=0x0,
payload=0x555556185d20 "rendezvous-service-descriptor
5ex2pe24d4y3nus3umqen4rgbqlk34v6\nversion 2\npermanent-key\n-----BEGIN RSA
PUBLIC
KEY-----\nMIGJAoGBAM1ZaWMtX7rigjmTALwcr4bteltZVF4YCP9F6NLx0lB3SACu/XNrQVpt\nX8H7CMf3t3HYRlciX"...,
payload_len=3253, if_modified_since=0, rend_query=0x7fffffffe030)
at src/or/directory.c:981
#2 0x000055555564c940 in directory_initiate_command_routerstatus_rend
(status=status at entry=0x555555aa65e0, dir_purpose=dir_purpose at entry=17
'\021', router_purpose=router_purpose at entry=0 '\000',
indirection=indirection at entry=DIRIND_ANONYMOUS,
resource=resource at entry=0x0,
payload=payload at entry=0x555556185d20 "rendezvous-service-descriptor
5ex2pe24d4y3nus3umqen4rgbqlk34v6\nversion 2\npermanent-key\n-----BEGIN RSA
PUBLIC
KEY-----\nMIGJAoGBAM1ZaWMtX7rigjmTALwcr4bteltZVF4YCP9F6NLx0lB3SACu/XNrQVpt\nX8H7CMf3t3HYRlciX"...,
payload_len=3253, if_modified_since=0,
rend_query=0x7fffffffe030) at src/or/directory.c:646
#3 0x00005555555b9b9d in directory_post_to_hs_dir
(renddesc=0x55555616ec40, descs=0x55555617bbc0, hs_dirs=0x0,
service_id=0x7fffffffe170 "brhc7vtx6cmchjda", seconds_valid=33661) at
src/or/rendservice.c:3158
#4 0x00005555555b9f27 in upload_service_descriptor
(service=0x555555975e40) at src/or/rendservice.c:3273
#5 0x00005555555babc0 in rend_consider_services_upload
(now=now at entry=1434288689) at src/or/rendservice.c:3696
}}}
I think the problem was introduced with the refactoring commit
`6d127695ea`: In `directory_post_to_hs_dir()` it introduced the
`rend_data` structure allocated on the stack, that is not properly
initialized before passed to
`directory_initiate_command_routerstatus_rend()`. So even though the
`onion_address` element was initialized, other required elements were not
and that caused crashes. This crash happened in `rend_data_dup()` when the
code was trying to access the `hsdirs_fp` pointer that was never
initialized (and properly contains stack garbage).
Not yet sure why the invocation to
`directory_initiate_command_routerstatus()` was changed in the refactoring
commit.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/4862#comment:37>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list