[tor-bugs] #13096 [Tor]: [patch] routerlist: NULL struct pointer dereferenced to take address of element
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Sep 9 01:53:57 UTC 2014
#13096: [patch] routerlist: NULL struct pointer dereferenced to take address of
element
-----------------------+------------------------------------
Reporter: teor | Owner:
Type: defect | Status: new
Priority: normal | Milestone:
Component: Tor | Version: Tor: 0.2.5.5-alpha
Keywords: tor-relay | Actual Points:
Parent ID: | Points:
-----------------------+------------------------------------
In routerlist.c line 4953, a struct pointer that is sometimes NULL is
dereferenced by an assertion. The assertion then takes the address of one
of the struct's element (routerlist.c 4953):
tor_assert(sd != &(r2->cache_info));
This is undefined behaviour in C, and could lead to the optimiser ignoring
the check, or the program crashing.
To avoid dereferencing the potentially-NULL pointer, the assertion can be
modified to check for NULL r2 first (if this is what is intended):
tor_assert(!r2 || sd != &(r2->cache_info));
The attached patch makes this change.
FYI - this error was discovered using a tor built with:
clang -fsanitize=undefined-trap -fsanitize-undefined-trap-on-error -ftrapv
Version: tor 0.2.6.?-alpha git 54348201f7cce9c0c01e9d4835714a2fec55c67c
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/13096>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list