[tor-bugs] #6029 [Tor Relay]: relay crash in libcrypto (tor_tls_handshake)
Tor Bug Tracker & Wiki
torproject-admin at torproject.org
Fri Jun 1 13:20:36 UTC 2012
#6029: relay crash in libcrypto (tor_tls_handshake)
-----------------------+----------------------------------------------------
Reporter: ln5 | Owner:
Type: defect | Status: new
Priority: major | Milestone: Tor: 0.2.3.x-final
Component: Tor Relay | Version: Tor: 0.2.3.15-alpha
Keywords: | Parent:
Points: | Actualpoints:
-----------------------+----------------------------------------------------
Changes (by nickm):
* version: => Tor: 0.2.3.15-alpha
* milestone: => Tor: 0.2.3.x-final
Comment:
Weird! Since the only way to get a crash in write() is to give it a bad
buffer or an overlong length... and since the arguments to BIO_write here
are coming from toe BIO_CTRL_FLUSH case of buffer_ctrl in openssl's
crypto/bio/bf_buff.c ... something has to be screwed up in the BIO
internals.
If the crash is always in the same place, I'd suspect some kind of use-
after-free thing , or something else that could allow a BIO specifically
to become corrupt. It would help to debug this if you can have gdb dump
out *in tor_tls_handshake) the values of *tls, *tls->ssl , and
*tls->ssl->wbio.
If the crash isn't always in the same place, I'd suspect a memory
corruption issue.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/6029#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list