[tor-bugs] #30775 [Core Tor/Tor]: Crash in close_or_reextend_intro_circ() (not released)
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Jun 5 17:07:36 UTC 2019
#30775: Crash in close_or_reextend_intro_circ() (not released)
------------------------------+-------------------------------------------
Reporter: asn | Owner: (none)
Type: defect | Status: new
Priority: Medium | Milestone: Tor: 0.4.1.x-final
Component: Core Tor/Tor | Version:
Severity: Normal | Keywords: tor-hs bug 041-must stability
Actual Points: | Parent ID: #30773
Points: | Reviewer:
Sponsor: |
------------------------------+-------------------------------------------
There is a UAF in:
{{{
if (!TO_CIRCUIT(intro_circ)->marked_for_close) {
circuit_change_purpose(TO_CIRCUIT(intro_circ),
CIRCUIT_PURPOSE_C_INTRODUCE_ACKED);
circuit_mark_for_close(TO_CIRCUIT(intro_circ),
END_CIRC_REASON_FINISHED);
}
/* Close the related rendezvous circuit. */
rend_circ = hs_circuitmap_get_rend_circ_client_side(
intro_circ->hs_ident->rendezvous_cookie);
}}}
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/30775>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list