[tor-bugs] #31003 [Core Tor/Tor]: heap-use-after-free src/feature/nodelist/routerlist.c:704 in router_get_by_descriptor_digest

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri Jul 19 13:53:14 UTC 2019 

#31003: heap-use-after-free src/feature/nodelist/routerlist.c:704 in
router_get_by_descriptor_digest
-------------------------------------------------+-------------------------
 Reporter:  dgoulet                              |          Owner:  nickm
     Type:  defect                               |         Status:
                                                 |  needs_review
 Priority:  High                                 |      Milestone:  Tor:
                                                 |  0.4.1.x-final
Component:  Core Tor/Tor                         |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  tor-crash, tor-hs, 041-backport,     |  Actual Points:  .1
  040-backport?, 035-backport?, 041-should?,     |
  041-regression?, 041-must                      |
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------
Changes (by nickm):

 * keywords:
     tor-crash, tor-hs, 041-backport?, 041-should?, 041-regression?,
     041-must
     =>
     tor-crash, tor-hs, 041-backport, 040-backport?, 035-backport?,
     041-should?, 041-regression?, 041-must
 * status:  assigned => needs_review
 * actualpoints:   => .1


Comment:

 Oh yuck, the problem here as I see it is that routerlist_free() [which
 frees the entire routerlist object, and is only called on shutdown] is
 calling router_dir_info_changed(), which in turn is using the object that
 was just freed.  This happens in turn because the global "routerlist"
 variable is still set at this point.

 I think it might make more sense to remove the call to
 router_dir_info_changed(), but that could have subtle side effects I don't
 really understand.  Instead, I'm  making us set the routerlist global to
 NULL before we call routerlist_free().

 I can't figure out why this happens in 0.4.1 and not before, so I've done
 a patch on 0.3.5 just in case, but I think we shouldn't backport too
 aggressively unless we're sure this causes no trouble.

 Branch is `bug31003_035`; PR at
 https://github.com/torproject/tor/pull/1181 . I recommend that we merge to
 0.4.1 and consider for later backport.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/31003#comment:7>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list