[tor-bugs] #9288 [Tor]: Invalid memory read in `pt_configure_remaining_proxies()`

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Jul 18 10:30:36 UTC 2013

#9288: Invalid memory read in `pt_configure_remaining_proxies()`
 Reporter:  asn     |          Owner:                    
     Type:  defect  |         Status:  new               
 Priority:  normal  |      Milestone:  Tor: 0.2.5.x-final
Component:  Tor     |        Version:                    
 Keywords:          |         Parent:                    
   Points:          |   Actualpoints:                    
     /* If the proxy is not fully configured, try to configure it
        futher. */
     if (!proxy_configuration_finished(mp))

     if (proxy_configuration_finished(mp))
       at_least_a_proxy_config_finished = 1;

 If the managed proxy is destroyed during `configure_proxy()` (by going to
 `handle_finished_proxy()`), then it is passed to
 `proxy_configuration_finished()` which reads `mp->conf_state`. This is an
 invalid memory read since the memory area of `mp` was freed.

 Not too hard to fix. An inelegant fix would be to make `configure_proxy()`
 return an int, that would warn `pt_configure_remaining_proxies()` if it
 destroys the managed proxy.

 Bug present since 0.2.4.x. Doesn't seem threatening, so we can fix it just
 in 0.2.5.x. The bug triggers when something bad happens during the
 managed-proxy configuration protocol, and we have to destroy the managed

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/9288>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list