[tor-bugs] #6472 [Tor Relay]: Assertion !connection_is_on_closeable_list
Tor Bug Tracker & Wiki
torproject-admin at torproject.org
Sat Jul 28 21:25:01 UTC 2012
#6472: Assertion !connection_is_on_closeable_list
-----------------------+----------------------------------------------------
Reporter: torland | Owner:
Type: defect | Status: needs_review
Priority: major | Milestone: Tor: 0.2.3.x-final
Component: Tor Relay | Version: Tor: 0.2.3.19-rc
Keywords: | Parent:
Points: | Actualpoints:
-----------------------+----------------------------------------------------
Comment(by arma):
Replying to [comment:4 cypherpunks]:
> - connection_edge_end(pendconn, END_STREAM_REASON_TIMEOUT);
> - circuit_detach_stream(circuit_get_by_edge_conn(pendconn),
pendconn);
> - connection_free(TO_CONN(pendconn));
> + if (!pendconn->_base.marked_for_close) {
> + connection_edge_end(pendconn, END_STREAM_REASON_TIMEOUT);
> + circuit_detach_stream(circuit_get_by_edge_conn(pendconn),
pendconn);
> + connection_free(TO_CONN(pendconn));
> + }
This can happen in practice when dns_resolve_impl() gets a request for
something that was already answered and cached, then the new request is
cancelled (by an end cell), and the cached version expires while the
request is pending. Then purge_expired_resolves() finds something on
resolve->pending_connections and proceeds to free it, but it's on the
closeable_list too.
Diagnosed by our irc person. We agree that this race condition seems hard
to intentionally exploit in practice.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/6472#comment:9>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list