[tor-bugs] #20103 [Core Tor/Tor]: Crash on OpenBSD: tor invoked from Tor Browser 6.0.4

Tor Bug Tracker & Wiki blackhole at torproject.org
Sat Sep 17 23:07:51 UTC 2016 

#20103: Crash on OpenBSD: tor invoked from Tor Browser 6.0.4
-----------------------------------------+---------------------------------
 Reporter:  attila                       |          Owner:
     Type:  defect                       |         Status:  new
 Priority:  High                         |      Milestone:  Tor:
                                         |  0.2.9.x-final
Component:  Core Tor/Tor                 |        Version:  Tor: 0.2.8.7
 Severity:  Normal                       |     Resolution:
 Keywords:  bug regression 028-backport  |  Actual Points:
Parent ID:                               |         Points:
 Reviewer:                               |        Sponsor:
-----------------------------------------+---------------------------------

Comment (by rubiate):

 Did some more digging.

 What's up with the consensus when using the .20 relay (NYCBUG0) as a
 bridge?

     network-status-version 3 microdesc\nvote-status consensus\nconsensus-
 method 20\nvalid-after 2016-09-08 19:00:00\nfresh-until '''2016-09-08'''
 20:00:00\nvalid-until '''2016-09-08''' 22:00:00

 Tor says the clock is fine:

     [debug] connection_dir_client_reached_eof(): Time on received
 directory is within tolerance; we are -2 seconds skewed.  (That's okay.)
     [info] connection_dir_client_reached_eof(): Received consensus
 directory (size 1404160) from server '66.111.2.20:9001'

 Whatever the cause, I think this is what is exposing the bug.

 Before the crash happens, `networkstatus_vote_free(current_md_consensus)`
 on src/or/networkstatus.c:1753 is reached. This calls
 `routerstatus_free(rs)` (src/or/networkstatus.c:319) on everything in the
 routerlist. I added some logging to see what it's doing:

     [... bajillion lines trimmed...]
     routerstatus_free: 0x167ecf8fa700
     routerstatus_free: 0x167e5e425e00
     '''routerstatus_free: 0x167ecf8fab00'''
     routerstatus_free: 0x167e91b76a00
     routerstatus_free: 0x167ecf8fa100
     [...bajillion lines trimmed...]
     Segmentation fault (core dumped)

     $ gdb tor/src/or/tor tor.core
     (gdb) up 2
     (gdb) print *node->rs
     $1 = (routerstatus_t *) 0x167ecf8fab00


 I'm hoping that NYCBUG relay stays broken for now so I can investigate
 further, and hopefully figure out why this seems to only happen on
 OpenBSD.

 And well done to atilla on having the specific config to trigger this :-)

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/20103#comment:10>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list