[tor-bugs] #30775 [Core Tor/Tor]: Crash in close_or_reextend_intro_circ() (not released)
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Jun 5 17:08:57 UTC 2019
#30775: Crash in close_or_reextend_intro_circ() (not released)
-------------------------------------------+-------------------------------
Reporter: asn | Owner: (none)
Type: defect | Status: new
Priority: Medium | Milestone: Tor:
| 0.4.1.x-final
Component: Core Tor/Tor | Version:
Severity: Normal | Resolution:
Keywords: tor-hs bug 041-must stability | Actual Points:
Parent ID: #30773 | Points:
Reviewer: | Sponsor:
-------------------------------------------+-------------------------------
Description changed by asn:
Old description:
> There is a UAF in:
>
> {{{
> if (!TO_CIRCUIT(intro_circ)->marked_for_close) {
> circuit_change_purpose(TO_CIRCUIT(intro_circ),
> CIRCUIT_PURPOSE_C_INTRODUCE_ACKED);
> circuit_mark_for_close(TO_CIRCUIT(intro_circ),
> END_CIRC_REASON_FINISHED);
> }
> /* Close the related rendezvous circuit. */
> rend_circ = hs_circuitmap_get_rend_circ_client_side(
> intro_circ->hs_ident->rendezvous_cookie);
> }}}
New description:
There is a UAF in:
{{{
if (!TO_CIRCUIT(intro_circ)->marked_for_close) {
circuit_change_purpose(TO_CIRCUIT(intro_circ),
CIRCUIT_PURPOSE_C_INTRODUCE_ACKED);
circuit_mark_for_close(TO_CIRCUIT(intro_circ),
END_CIRC_REASON_FINISHED);
}
/* Close the related rendezvous circuit. */
rend_circ = hs_circuitmap_get_rend_circ_client_side(
intro_circ->hs_ident->rendezvous_cookie);
}}}
exact same bug class as #30773.
--
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/30775#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list