[tor-bugs] #13325 [- Select a component]: Tor crash on OpenBSD-current since 2014-08-10

[Tor Bug Tracker & Wiki]

#13325: Tor crash on OpenBSD-current since 2014-08-10
----------------------------------+---------------------
 Reporter:  fredzupy              |          Owner:
     Type:  defect                |         Status:  new
 Priority:  normal                |      Milestone:
Component:  - Select a component  |        Version:
 Keywords:                        |  Actual Points:
Parent ID:                        |         Points:
----------------------------------+---------------------
 Tor is broken under OpenBSD-current since this patch, I think,
 <http://marc.info/?l=openbsd-cvs&m=140768179627976&w=2>).
 The function prune_v2_cipher_list() in src/common/tortls.c now crash Tor
 (Segmentation fault). All Tor versions impacted.

 Commenting out the prune_v2_cipher_list() seems to be enough as a
 workaround.

 Here is a gdb backtrace with tor-0.2.5.7-rc in debug mode:

 Oct 02 14:41:12.000 [debug] tor_tls_debug_state_callback(): SSL 0x83b91000
 is now in state before/accept initialization [type=16,val=1].
 Oct 02 14:41:12.000 [debug] tor_tls_debug_state_callback(): SSL 0x83b91000
 is now in state before/accept initialization [type=8193,val=1].
 Oct 02 14:41:12.000 [debug] tor_tls_debug_state_callback(): SSL 0x83b91000
 is now in state unknown state [type=8194,val=-1].
 Oct 02 14:41:12.000 [debug] tor_tls_handshake(): After call, 0x82a59d80
 was in state unknown state
 Oct 02 14:41:12.000 [debug] connection_tls_continue_handshake(): wanted
 read
 Oct 02 14:41:12.000 [debug] conn_read_callback(): socket 22 wants to read.
 Oct 02 14:41:12.000 [debug] tor_tls_handshake(): About to call SSL_accept
 on 0x82a59d80 (unknown state)

 Program received signal SIGSEGV, Segmentation fault.
 0x00000000 in ?? ()
 (gdb) bt
 #0  0x00000000 in ?? ()
 #1  0x1a8d578b in tor_tls_classify_client_ciphers (ssl=0x83b91000,
 peer_ciphers=0x85251200) at src/common/tortls.c:1489
 #2  0x1a8d58ff in tor_tls_session_secret_cb (ssl=0x83b91000,
 secret=0x8a659608, secret_len=0x8a659604, peer_ciphers=0x85251200,
 cipher=0xcfbe0184, arg=0x0) at src/common/tortls.c:1683
 #3  0x0b9e09ec in ssl3_get_client_hello (s=0x83b91000) at
 /usr/src/lib/libssl/ssl/../../libssl/src/ssl/s3_srvr.c:1119
 #4  0x0b9e176f in ssl3_accept (s=0x83b91000) at
 /usr/src/lib/libssl/ssl/../../libssl/src/ssl/s3_srvr.c:346
 #5  0x0b9f22fa in SSL_accept (s=0x83b91000) at
 /usr/src/lib/libssl/ssl/../../libssl/src/ssl/ssl_lib.c:922
 #6  0x0b9d8836 in ssl23_get_client_hello (s=0x83b91000) at
 /usr/src/lib/libssl/ssl/../../libssl/src/ssl/s23_srvr.c:573
 #7  0x0b9d915c in ssl23_accept (s=0x83b91000) at
 /usr/src/lib/libssl/ssl/../../libssl/src/ssl/s23_srvr.c:232
 #8  0x0b9f22fa in SSL_accept (s=0x83b91000) at
 /usr/src/lib/libssl/ssl/../../libssl/src/ssl/ssl_lib.c:922
 #9  0x1a8d5d59 in tor_tls_handshake (tls=0x82a59d80) at
 src/common/tortls.c:2113
 #10 0x1a865f10 in connection_tls_continue_handshake (conn=0x83b93000) at
 src/or/connection_or.c:1468
 #11 0x1a857dee in connection_handle_read (conn=0x83b93000) at
 src/or/connection.c:3287
 #12 0x1a7a842f in conn_read_callback (fd=22, event=2, _conn=0x83b93000) at
 src/or/main.c:736
 #13 0x0bb9ca02 in event_base_loop (base=0x7e447000, flags=0) at
 /usr/src/lib/libevent/event.c:404
 #14 0x1a7a3eab in do_main_loop () at src/or/main.c:2027
 #15 0x1a7a55ca in tor_main (argc=3, argv=0xcfbe09c4) at src/or/main.c:3047
 #16 0x1a7a1cdd in main (argc=536912672, argv=0x8696ee00) at
 src/or/tor_main.c:30
 (gdb)

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/13325>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online