[tor-bugs] #16823 [Tor]: potential double-free in command_process_create_cell()
Tor Bug Tracker & Wiki
blackhole at torproject.org
Sun Aug 16 00:45:45 UTC 2015
#16823: potential double-free in command_process_create_cell()
--------------------------------------------+---------------------
Reporter: isis | Owner:
Type: defect | Status: new
Priority: normal | Milestone:
Component: Tor | Version:
Keywords: tor-relay, tor-guard, security | Actual Points:
Parent ID: | Points:
--------------------------------------------+---------------------
In `command_process_create_cell()` (on master, as of commit
da04fed865b6df09b33e6b632d51d34b3eb20d14)
{{{
memset(&created_cell, 0, sizeof(created_cell));
len = onion_skin_server_handshake(ONION_HANDSHAKE_TYPE_FAST,
create_cell->onionskin,
create_cell->handshake_len,
NULL,
created_cell.reply,
keys, CPATH_KEY_MATERIAL_LEN,
rend_circ_nonce);
tor_free(create_cell);
if (len < 0) {
log_warn(LD_OR,"Failed to generate key material. Closing.");
circuit_mark_for_close(TO_CIRCUIT(circ), END_CIRC_REASON_INTERNAL);
tor_free(create_cell);
return;
}
}}}
Which is a double-free (somewhat dependent on what the `PREDICT_LIKELY`
macro generates).
I haven't tested yet, but it might be possible to crash relays with this
bug. We should probably patch this ASAP.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/16823>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list