[tor-bugs] #6029 [Tor Relay]: relay crash in libcrypto (tor_tls_handshake)

Tor Bug Tracker & Wiki torproject-admin at torproject.org
Sun Jun 3 14:34:19 UTC 2012 

#6029: relay crash in libcrypto (tor_tls_handshake)
-----------------------+----------------------------------------------------
 Reporter:  ln5        |          Owner:                     
     Type:  defect     |         Status:  new                
 Priority:  major      |      Milestone:  Tor: 0.2.3.x-final 
Component:  Tor Relay  |        Version:  Tor: 0.2.3.15-alpha
 Keywords:             |         Parent:                     
   Points:             |   Actualpoints:                     
-----------------------+----------------------------------------------------

Comment(by ln5):

 Another crash looks like this.

 {{{{
 #0  0x00007ffff6a02acd in write () from /lib/libc.so.6
 #1  0x00007ffff71a1035 in sock_write () from
 /home/linus/usr/lib/libcrypto.so.1.0.0
 #2  0x00007ffff719f1a7 in BIO_write () from
 /home/linus/usr/lib/libcrypto.so.1.0.0
 #3  0x00007ffff74bf7f4 in ssl3_write_pending () from
 /home/linus/usr/lib/libssl.so.1.0.0
 #4  0x00007ffff74c00ef in ssl3_write_bytes () from
 /home/linus/usr/lib/libssl.so.1.0.0
 #5  0x000000000052e17f in tor_tls_write (tls=0x7fffec7d0d10, [scrubbed
 /ln], n=3296) at tortls.c:1715
 #6  0x00000000004706e8 in flush_chunk_tls (tls=0x7fffec7d0d10,
 buf=0x7fffed08c040,
     chunk=0x7fffe5779ca0, sz=3296, buf_flushlen=0x7fffed0098f0) at
 buffers.c:836
 #7  0x0000000000470d99 in flush_buf_tls (tls=0x7fffec7d0d10,
 buf=0x7fffed08c040, flushlen=16384,
     buf_flushlen=0x7fffed0098f0) at buffers.c:921
 #8  0x00000000004abda4 in connection_handle_write_impl
 (conn=0x7fffed0098c0, force=0)
     at connection.c:3211
 #9  0x00000000004ac216 in connection_handle_write (conn=0x7fffed0098c0,
 force=0) at connection.c:3312
 #10 0x000000000040a751 in conn_write_callback (fd=4231, events=4,
 _conn=0x7fffed0098c0) at main.c:735
 #11 0x00007ffff771010c in event_process_active_single_queue
 (base=0x7ac110, flags=<value optimized out>)
     at event.c:1346
 #12 event_process_active (base=0x7ac110, flags=<value optimized out>) at
 event.c:1416
 #13 event_base_loop (base=0x7ac110, flags=<value optimized out>) at
 event.c:1617
 #14 0x000000000040cf32 in do_main_loop () at main.c:1924
 #15 0x000000000040e4a7 in tor_main (argc=3, argv=0x7fffffffe798) at
 main.c:2619
 #16 0x0000000000408b34 in main (argc=3, argv=0x7fffffffe798) at
 tor_main.c:30

 (gdb) up 5
 #5  0x000000000052e17f in tor_tls_write (tls=0x7fffec7d0d10, [scrubbed
 /ln], n=3296) at tortls.c:1715
 1715      r = SSL_write(tls->ssl, cp, (int)n);
 (gdb) p *tls
 $1 = {magic = 1901532529, context = 0x7fffdc57eee0, ssl = 0x7fffedb96b10,
 socket = 4231,
   address = 0x7fffed134a80 "[scrubbed]", state = TOR_TLS_ST_OPEN, isServer
 = 1, wasV2Handshake = 1,
   got_renegotiate = 0, server_handshake_count = 2 '\002', wantwrite_n = 0,
 last_write_count = 216696,
   last_read_count = 31075, negotiated_callback = 0, callback_arg = 0x0}
 (gdb) p *tls->ssl
 $2 = {version = 769, type = 8192, method = 0x7ffff76f5480, rbio =
 0x7fffec22f6b0,
   wbio = 0x7fffec22f6b0, bbio = 0x0, rwstate = 2, in_handshake = 0,
   handshake_func = 0x7ffff74b57e0 <ssl3_accept>, server = 1, new_session =
 0, quiet_shutdown = 0,
   shutdown = 0, state = 3, rstate = 240, init_buf = 0x0, init_msg =
 0x7fffe5ee3ce4, init_num = 0,
   init_off = 0, packet = 0x7fffe4819d83 "\334\377\177", packet_length = 0,
 s2 = 0x0,
   s3 = 0x7fffec192500, d1 = 0x0, read_ahead = 0, msg_callback = 0,
 msg_callback_arg = 0x0, hit = 0,
   param = 0x7fffec760df0, cipher_list = 0x7fffed664a70, cipher_list_by_id
 = 0x7fffed3247b0,
   mac_flags = 0, enc_read_ctx = 0x7fffe5ea5fd0, read_hash =
 0x7fffe504ee90, expand = 0x0,
   enc_write_ctx = 0x7fffe4ac97e0, write_hash = 0x7fffe4f67790, compress =
 0x0, cert = 0x7fffedbe69c0,
   sid_ctx_length = 0, sid_ctx = '\000' <repeats 31 times>, session =
 0x7fffe46a21b0,
   generate_session_id = 0, verify_mode = 1, verify_callback = 0x52a9e6
 <always_accept_verify_cb>,
   info_callback = 0x52c992 <tor_tls_debug_state_callback>, error = 0,
 error_code = 0,
   psk_client_callback = 0, psk_server_callback = 0, ctx = 0x7fffdc4a0b60,
 debug = 0, verify_result = 0,
   ex_data = {sk = 0x7fffec2a6ad0, dummy = 0}, client_CA = 0x0, references
 = 1, options = 18153476,
   mode = 18, max_cert_list = 102400, first_packet = 0, client_version =
 769, max_send_fragment = 16384,
   tlsext_debug_cb = 0, tlsext_debug_arg = 0x0, tlsext_hostname = 0x0,
 servername_done = 0,
   tlsext_status_type = -1, tlsext_status_expected = 0, tlsext_ocsp_ids =
 0x0, tlsext_ocsp_exts = 0x0,
   tlsext_ocsp_resp = 0x0, tlsext_ocsp_resplen = -1, tlsext_ticket_expected
 = 1,
   tlsext_ecpointformatlist_length = 0, tlsext_ecpointformatlist = 0x0,
   tlsext_ellipticcurvelist_length = 0, tlsext_ellipticcurvelist = 0x0,
 tlsext_opaque_prf_input = 0x0,
   tlsext_opaque_prf_input_len = 0, tlsext_session_ticket = 0x0,
 tls_session_ticket_ext_cb = 0,
   tls_session_ticket_ext_cb_arg = 0x0, tls_session_secret_cb = 0,
 tls_session_secret_cb_arg = 0x0,
   initial_ctx = 0x7fffdc4a0b60, next_proto_negotiated = 0x0,
 next_proto_negotiated_len = 0 '\000',
   srtp_profiles = 0x0, srtp_profile = 0x0, tlsext_heartbeat = 0,
 tlsext_hb_pending = 0,
   tlsext_hb_seq = 0, renegotiate = 0, srp_ctx = {SRP_cb_arg = 0x0,
 TLS_ext_srp_username_callback = 0,
     SRP_verify_param_callback = 0, SRP_give_srp_client_pwd_callback = 0,
 login = 0x0, N = 0x0, g = 0x0,
     s = 0x0, B = 0x0, A = 0x0, a = 0x0, b = 0x0, v = 0x0, info = 0x0,
 strength = 1024, srp_Mask = 0}}
 (gdb) p *tls->ssl->wbio
 $3 = {method = 0x7ffff74885a0, callback = 0, cb_arg = 0x0, init = 1,
 shutdown = 0, flags = 0,
   retry_reason = 0, num = 4231, ptr = 0x0, next_bio = 0x0, prev_bio = 0x0,
 references = 1,
   num_read = 31075, num_write = 216696, ex_data = {sk = 0x0, dummy = 0}}
 }}}}

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/6029#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list