[tor-bugs] #20710 [Core Tor/Tor]: memory leak in sandbox_getaddrinfo()
Tor Bug Tracker & Wiki
blackhole at torproject.org
Fri Nov 18 15:30:58 UTC 2016
#20710: memory leak in sandbox_getaddrinfo()
--------------------------+------------------------------------
Reporter: arma | Owner:
Type: defect | Status: new
Priority: Medium | Milestone: Tor: 0.2.9.x-final
Component: Core Tor/Tor | Version: Tor: 0.2.9.5-alpha
Severity: Normal | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
--------------------------+------------------------------------
Comment (by arma):
Initial poking leads me to
{{{
void
sandbox_free_getaddrinfo_cache(void)
{
cached_getaddrinfo_item_t **next, **item;
for (item = HT_START(getaddrinfo_cache, &getaddrinfo_cache);
item;
item = next) {
next = HT_NEXT_RMV(getaddrinfo_cache, &getaddrinfo_cache, item);
cached_getaddrinfo_item_free(*item);
}
HT_CLEAR(getaddrinfo_cache, &getaddrinfo_cache);
}
}}}
You see the HT_NEXT_RMV in the middle? I think it updates *item to point
to the next element. So when we call cached_getaddrinfo_item_free on it,
it's freeing the wrong one. Or freeing some random thing in memory, more
likely.
Compare to how we call it in container.c, which is
{{{
this = *ent; \
next = HT_NEXT_RMV(prefix##_impl, &map->head, ent); \
if (free_val) \
free_val(this->val); \
}}}
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/20710#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list