[tor-bugs] #14259 [Tor]: memleak in connection_ap_handshake_rewrite_and_attach()

Tor Bug Tracker & Wiki blackhole at torproject.org
Sat Jan 17 11:43:32 UTC 2015


#14259: memleak in connection_ap_handshake_rewrite_and_attach()
--------------------+------------------------------------
 Reporter:  asn     |          Owner:
     Type:  defect  |         Status:  new
 Priority:  normal  |      Milestone:  Tor: 0.2.6.x-final
Component:  Tor     |        Version:
 Keywords:          |  Actual Points:
Parent ID:          |         Points:
--------------------+------------------------------------
 I think there is a memleak in
 `connection_ap_handshake_rewrite_and_attach()`. Specifically, in this
 block of code:
 {{{
   if (socks->command == SOCKS_COMMAND_RESOLVE_PTR) {
     unsigned rewrite_flags = 0;
     if (conn->use_cached_ipv4_answers)
       rewrite_flags |= AMR_FLAG_USE_IPV4_DNS;
     if (conn->use_cached_ipv6_answers)
       rewrite_flags |= AMR_FLAG_USE_IPV6_DNS;

     if (addressmap_rewrite_reverse(socks->address, sizeof(socks->address),
                                    rewrite_flags, &map_expires)) {
       char *result = tor_strdup(socks->address);
       /* remember _what_ is supposed to have been resolved. */
       tor_snprintf(socks->address, sizeof(socks->address), "REVERSE[%s]",
                   orig_address);
       connection_ap_handshake_socks_resolved(conn, RESOLVED_TYPE_HOSTNAME,
                                              strlen(result),
 (uint8_t*)result,
                                              -1,
                                              map_expires);
       connection_mark_unattached_ap(conn,
                                 END_STREAM_REASON_DONE |
 END_STREAM_REASON_FLAG_ALREADY_SOCKS_REPLIED);
       return 0;
     }
 }}}

 The `result` string is strdupped and passed to that function without it
 ever being freed.

 I'm not sure if this code can be reached by - say - a malicious website.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/14259>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list