[tor-bugs] #14554 [Tor]: Possible infinite loop on pipe_drain()
Tor Bug Tracker & Wiki
blackhole at torproject.org
Fri Jan 30 16:02:22 UTC 2015
#14554: Possible infinite loop on pipe_drain()
---------------------+------------------------------------
Reporter: dgoulet | Owner:
Type: defect | Status: new
Priority: major | Milestone: Tor: 0.2.6.x-final
Component: Tor | Version: Tor: 0.2.6.2-alpha
Keywords: | Actual Points:
Parent ID: | Points:
---------------------+------------------------------------
In {{{src/common/compat_threads.c}}}, there is this function:
{{{
static int
pipe_drain(int fd)
{
char buf[32];
ssize_t r;
while ((r = read_ni(fd, buf, sizeof(buf))) >= 0)
;
if (r == 0 || errno != EAGAIN)
return -1;
return 0;
}
}}}
This one will end up in an infinite loop because read() returns 0 when
EOF. Furthermore, if let say we get out of this loop somehow, errno ==
SUCCESS will return -1. Even if the fd is in non blocking mode, if the fd
is drained, the last read() will return 0 non stop (I tested it here with
two threads).
I'm coming up with a fix asap that use a safer read() wrapper.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/14554>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list