[tor-bugs] #18447 [Tor]: Possible double-free in test_options.c

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon Feb 29 14:08:33 UTC 2016


#18447: Possible double-free in test_options.c
---------------------------+------------------------------------------
     Reporter:  stevenc99  |      Owner:
         Type:  defect     |     Status:  new
     Priority:  Low        |  Milestone:
    Component:  Tor        |    Version:
     Severity:  Normal     |   Keywords:  validate__transproxy FreeBSD
Actual Points:             |  Parent ID:
       Points:             |    Sponsor:
---------------------------+------------------------------------------
 {{{
 Hi,

 On derivatives of FreeBSD that have net/pfvar.h, (GNU/kFreeBSD in my
 case, but there will be others), USE_TRANSPARENT gets defined but
 __FreeBSD__ is not.  Therefore when running options/validate__transproxy
 in src/test/test_options.c:

    1080   free_options_test_data(tdata);

 tdata remains a dangling pointer.  It may be assigned a new value in one
 of the following ifdef blocks, which exist for linux, __FreeBSD__,
 DARWIN and __OpenBSD__.  So in any other case when we reach:

    1115   free_options_test_data(tdata);

 it would double-free the tdata from earlier.  I've attached a simple
 patch to NULL that pointer the first time it is freed.

 I will follow up with another ticket to enable transproxy on
 GNU/kFreeBSD and enable this test to run on it.  Thanks.

 Backtrace of the crash with -DNO_FORKING:

 #0  routerset_free (routerset=0x21) at src/or/routerset.c:411
         cp_sl_idx = <optimized out>
         cp_sl_len = <optimized out>
         cp = <optimized out>
 #1  0x000000000061d4e0 in or_options_free (options=0xae1ad0) at
 src/or/config.c:800
 No locals.
 #2  0x000000000051f3e5 in free_options_test_data (td=0xae2750) at
 src/test/test_options.c:391
 No locals.
 #3  0x00000000005231f3 in test_options_validate__transproxy
 (ignored=<optimized out>) at src/test/test_options.c:1115
         ret = <optimized out>
         tdata = 0xae2750
 #4  0x00000000005ede8a in testcase_run_bare_ (testcase=0xaab430
 <options_tests+400>) at src/ext/tinytest.c:106
         env = 0x0
         outcome = <optimized out>
 #5  testcase_run_one (group=0xaa61e0 <testgroups+512>, testcase=0xaab430
 <options_tests+400>) at src/ext/tinytest.c:253
         testcase = 0xaab430 <options_tests+400>
         group = 0xaa61e0 <testgroups+512>
 #6  0x00000000005ee51e in tinytest_main (c=c at entry=3,
 v=v at entry=0x7fffffffe5b8, groups=0xaa5fe0 <testgroups>) at
 src/ext/tinytest.c:435
         i = 32
         j = 10
         n = <optimized out>
 #7  0x000000000040d04b in main (c=3, v=0x7fffffffe5b8) at
 src/test/testing_common.c:300
 }}}

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18447>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list