[tor-bugs] #11820 [Obfsproxy]: circuit `NoneType` in obfs3 handshake callbacks
Tor Bug Tracker & Wiki
blackhole at torproject.org
Thu May 8 14:21:54 UTC 2014
#11820: circuit `NoneType` in obfs3 handshake callbacks
---------------------------+-----------------
Reporter: asn | Owner: asn
Type: defect | Status: new
Priority: normal | Milestone:
Component: Obfsproxy | Version:
Resolution: | Keywords:
Actual Points: | Parent ID:
Points: |
---------------------------+-----------------
Comment (by asn):
So, the exception is partially caused by `Circuit.close()` setting
`self.transport.circuit` to `None`.
It's also partially caused because the callback/errback of the obfs3
handshake don't check that `self.circuit` exists.
I think a sequence of events like this would trigger the bug:
{{{
(1) User connects. Starts obfs3 handshake.
(2) We start parsing handshake and deferToThread().
(3) User disconnects. Circuit is cleared. `self.transport.circuit` is
NULLed.
(4) Our callbacks trigger. They try to access `self.circuit.close()` and
they crash.
}}}
There are at least a few ways to fix this bug:
a) In the beginning of the callback/errback check that `self.circuit`
exists. If it doesn't, return prematurely since the connection is dead
anyway. This will need to become a new rule for transport authors that use
threads.
b) Stop setting the transport circuit to None, and guard for `self.closed`
in the various Circuit methods in case the callback/errback try to access
them while it's closed.
Both solutions seem acceptable to me.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/11820#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list