[tor-bugs] #23329 [Core Tor/Tor]: sandbox: Double free when initializing the HSv3 config

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri Aug 25 13:27:56 UTC 2017


#23329: sandbox: Double free when initializing the HSv3 config
------------------------------+---------------------------------
     Reporter:  dgoulet       |      Owner:  dgoulet
         Type:  defect        |     Status:  assigned
     Priority:  Medium        |  Milestone:  Tor: 0.3.2.x-final
    Component:  Core Tor/Tor  |    Version:
     Severity:  Normal        |   Keywords:  tor-hs, tor-sandbox
Actual Points:                |  Parent ID:
       Points:  0.1           |   Reviewer:
      Sponsor:                |
------------------------------+---------------------------------
 In `main.c`:

 {{{
        /* steals references */
        sandbox_cfg_allow_open_filename(&cfg, file_name);
        sandbox_cfg_allow_open_filename(&cfg, tmp_name);
        tor_free(file_name);
 }}}

 ... freeing after stealing a reference is really not good :).

 Introduced in 5d2506d70cd which was never released.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/23329>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list