[tor-bugs] #22417 [Core Tor/Tor]: crash: double free or corruption (fasttop):
Tor Bug Tracker & Wiki
blackhole at torproject.org
Sun May 28 04:10:13 UTC 2017
#22417: crash: double free or corruption (fasttop):
-------------------------------------------------+-------------------------
Reporter: toralf | Owner:
Type: defect | Status:
| needs_review
Priority: High | Milestone: Tor:
| 0.3.1.x-final
Component: Core Tor/Tor | Version: Tor:
| 0.3.1.2-alpha
Severity: Normal | Resolution:
Keywords: tor-relay regression torrc reload | Actual Points:
crash |
Parent ID: | Points:
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Comment (by arma):
For those following along, the proposed fix is:
{{{
--- a/src/common/confline.c
+++ b/src/common/confline.c
@@ -300,7 +300,7 @@ config_process_include(const char *path, int
recursion_level, int extended,
tor_free(config_file);
**next = included_list;
- *next = &(*list_last)->next;
+ *next = !*list_last ? *next : &(*list_last)->next;
} SMARTLIST_FOREACH_END(config_file);
smartlist_free(config_files);
}}}
I can confirm that the change stops the crash.
But (not knowing the code here at all, though I admit I am stunned to find
a {{{***next}}} :) it is a confusing fix. If !*list_last, then assign
*next to *next? If that's actually what you meant to do, wouldn't it be
simpler to do it with something like
{{{
if (*list_last)
*next = &(*list_last)->next;
}}}
?
(I am in a twisty maze of pointers to pointers to pointers, all alike.)
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/22417#comment:13>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list