[tor-bugs] #5541 [Tor Relay]: NULL ptr deref. in connection_edge_process_relay_cell()
Tor Bug Tracker & Wiki
torproject-admin at torproject.org
Sat Mar 31 18:13:24 UTC 2012
#5541: NULL ptr deref. in connection_edge_process_relay_cell()
-----------------------+----------------------------------------------------
Reporter: asn | Owner:
Type: defect | Status: needs_review
Priority: major | Milestone: Tor: 0.2.2.x-final
Component: Tor Relay | Version:
Keywords: | Parent:
Points: | Actualpoints:
-----------------------+----------------------------------------------------
Changes (by nickm):
* priority: normal => major
* status: new => needs_review
* milestone: Tor: 0.2.3.x-final => Tor: 0.2.2.x-final
Comment:
My first thought was to move the "if (!conn)" check up higher, but that's
no good: it would mean that deliver_window stuff wouldn't get decremented
for unrecognized connections.
I'm not completely sure that the the connection_edge_end() call there is
actually necessary: we're about to tear down the circuit, after all; it
should make the connection get ended one way or another. It looks like we
introduced that connection_edge_end() back in 4a66865d, as a way to make
sure that a good error got sent rather than a generic one.
But we can figure that out later. I think the right fix for now is to make
the connection_edge_end() there conditional on whether conn is set. See
branch "bug5541" on my public repo. It's against 0.2.2.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/5541#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list