[tor-bugs] #8746 [Tor]: Tor tries to kill nonexistent proxy PID on second SIGINT
Tor Bug Tracker & Wiki
blackhole at torproject.org
Sat Jun 14 04:11:08 UTC 2014
#8746: Tor tries to kill nonexistent proxy PID on second SIGINT
-------------------------+-------------------------------------------------
Reporter: dcf | Owner: nickm
Type: defect | Status: needs_review
Priority: normal | Milestone: Tor: 0.2.5.x-final
Component: Tor | Version:
Resolution: | Keywords: tor-client, pt, 024-deferrable,
Actual Points: | 025-triaged
Points: | Parent ID:
-------------------------+-------------------------------------------------
Comment (by yawning):
Assuming the branch in `set_waitpid_callback()` is taken and the
`tor_free(old_ent)` call suggested by athena is there, it's probably
fairly reasonable to assume that there could very well be a different
`process_handle_t` that holds a reference to `old_en`t.
Some time later when `tor_destroy_process_handle(other_handle, 1)` is
called (I don't know if it ever will, but we're already in "our invariants
have been violated" territory), the code path where asn suggests a free
will be invoked with `ent` being the dangling pointer because the
hashtable entry for the pid at that point is either missing (the callback
fired and the replacement entry got removed from the table) or is the new
entry.
Either leave it as is (leaks a trivial amount memory when impossible
things happen), add a `tor_free()` only in `clear_waitpid_callback()` (may
leak a trivial amount of memory, if the previous process handle is never
destroyed), or add asserts in both branches because both conditions are
invariants.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/8746#comment:17>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list