[tor-bugs] #17752 [Tor]: Null pointer deref in connection_ap_attach_pending()

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri Dec 4 16:54:58 UTC 2015 

#17752: Null pointer deref in connection_ap_attach_pending()
-------------------------+--------------------------------
     Reporter:  dgoulet  |      Owner:
         Type:  defect   |     Status:  new
     Priority:  Medium   |  Milestone:  Tor: 0.2.8.x-final
    Component:  Tor      |    Version:
     Severity:  Major    |   Keywords:
Actual Points:           |  Parent ID:
       Points:           |    Sponsor:
-------------------------+--------------------------------
 My tor client is running on version `0.2.8.0-alpha-dev (git-
 ee5337e90497e31c)` and I got a crash with a coredump this morning. It
 happened when one of my hidden service was rebooted and then the torsocks
 client did try to reconnect.

 Last notice log:

 {{{
 Dec 04 11:39:16.000 [notice] Closing stream for 'SCRUBBED ONION': hidden
 service is unavailable (try again later).
 }}}

 Here is the gdb backtrace of the coredump:

 {{{
 [snip]
 #3  <signal handler called>
 No locals.
 #4  connection_ap_attach_pending (retry=retry at entry=1) at
 src/or/connection_edge.c:801
         conn = 0x0
         entry_conn_sl_idx = 3
         entry_conn_sl_len = 4
         entry_conn = 0x0
         __FUNCTION__ = "connection_ap_attach_pending"
         __func__ = "connection_ap_attach_pending"
 #5  0x0000561584871bf4 in connection_ap_rescan_and_attach_pending () at
 src/or/connection_edge.c:779
         entry_conn = 0x561586bcc260
         conns = <optimized out>
         __FUNCTION__ = "connection_ap_rescan_and_attach_pending"
 #6  0x0000561584851da8 in circuit_build_needed_circs
 (now=now at entry=1449247161) at src/or/circuituse.c:1126
         options = 0x561586bcc260
 #7  0x00005615847c8288 in run_scheduled_events (now=1449247161) at
 src/or/main.c:1491
         options = 0x561586bcc260
         have_dir_info = <optimized out>
         i = <optimized out>
 [snip]
 }}}

 Apparently `conn` is NULL at that point thus this line exploded
 in`src/or/connection_edge.c`

 {{{
     connection_t *conn = ENTRY_TO_CONN(entry_conn);
     if (conn->marked_for_close) {
 }}}

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/17752>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list