[tor-bugs] #18710 [Core Tor/Tor]: dnsserv.c asserts when no supported questions are requested
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Apr 27 22:59:53 UTC 2016
#18710: dnsserv.c asserts when no supported questions are requested
-------------------------------------------------+-------------------------
Reporter: geekmug | Owner:
Type: defect | Status:
Priority: Medium | needs_revision
Component: Core Tor/Tor | Milestone: Tor:
Severity: Normal | 0.2.???
Keywords: dns dnsport tor-client 029-proposed | Version: Tor:
Parent ID: | 0.2.7.6
Reviewer: nickm | Resolution:
| Actual Points:
| Points: very
| small
| Sponsor:
-------------------------------------------------+-------------------------
Comment (by geekmug):
Replying to [comment:6 nickm]:
> I've tested Tor 0.2.5 and forward with MX queries to verify that they
don't actually crash. It appears they don't. I'm testing by only sending
a single MX query in the request.
I'm sorry, I must have done a poor job of explaining the bug. Your test is
invalid because the crash is only presented with multiple queries wherein
the first query is a bad type and contains at least one good type. The key
part of my commit message is: "it doesn't actually pick the first
supported question -- it always picks the first question." All you need is
a query with an unsupported type for the first query and at least one
supported query.
For instance, if I send a SRV and A record query together (in that order),
then the "if (!q) q = req->questions[i];" makes q a SRV record. Then, the
switch block falls through to the default. On the next loop, q is already
set, so it is still the SRV record, but the switch is on
"req->questions[i]->type" that is now an A record. The case block then
assigns "supported_q = q" (which is not req->questions[i]).
I stumbled on this by putting the DNSPort as 5353, but then mDNS was
hitting the tor server. For instance, one of my devices sends out a
request for [SRV, A, SRV], which matches the criteria I describe above,
and crashes tor.
(gdb) frame 1
#1 0x00000000004cef69 in evdns_server_callback (req=0xeab638,
data_=0x7ff550) at src/or/dnsserv.c:139
139 tor_assert(q->type == EVDNS_TYPE_PTR);
(gdb) print *q
$2 = {type = 33, class = 1, name = "A"}
I can capture a packet for you to reply or perhaps generate some code to
cause the issue, but I don't readily know how to generate a DNS query with
multiple records using commonly available tools (e.g., "dig" doesn't
support it).
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18710#comment:7>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list