[tor-bugs] #7788 [Tor]: null dereference when bufferevents are on

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Feb 28 07:05:10 UTC 2013


#7788: null dereference when bufferevents are on
-----------------------------------------------------+----------------------
 Reporter:  lemerange                                |          Owner:                  
     Type:  defect                                   |         Status:  new             
 Priority:  major                                    |      Milestone:  Tor: unspecified
Component:  Tor                                      |        Version:  Tor: 0.2.3.25   
 Keywords:  crash cpu_worker tor-relay bufferevents  |         Parent:                  
   Points:                                           |   Actualpoints:                  
-----------------------------------------------------+----------------------

Comment(by cypherpunks):

 Replying to [comment:6 Javantea]:
 > The crash is a null dereference.
 >
 > The crash occurs in buffers.c:522 in buf_datalen:
 > return buf->datalen;
 >
 > In connection.c, conn->outbuf is null.
 > old_datalen = buf_datalen(conn->outbuf);
 >
 > This runs because conn->bufev is null which causes
 IF_HAS_BUFFEREVENT(conn, { ... }); to not run.

 [snip]

 >
 > FYI, bufferevents is default on Gentoo, so we should definitely contact
 them and tell them that it is unstable. You should also check whether
 other distros enable bufferevents.
 >
 > I have a patch, if you want it, which fixes this null dereference and an
 abort that occurs as well. There are several places where similar code
 occurs, so this probably requires a larger effort. I am testing the patch
 I wrote right now.

 While we are contacting Gentoo, they also need to change the tor init
 script to increase the nofile rlimit setting to 8096(or whatever) in the
 init script.  Gentoo defaults to 0 core size and 1024 fd's.

 Thansk for finding this one, between grsec and ulimit issues it took me
 too long to figure out why it wasn't dropping a core.  I have recompiled
 without bufferevents (also figured out how to change the ulimit by using
 the prlimit command, which I build into my own init script.)

 After starting tor, as root:

 TORPID=ps -u toruser --noheaders -o pid
 prlimit --nofile=8196:32500 --core=8000000:16000000 --pid $TORPID

 I will report back also to verify in a couple of days if the relay crashes
 again without buffer events, and then we can be more sure its the same
 bug.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/7788#comment:8>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list