Skip to content

GitLab

Trac
Trac

GitLab is used only for code review, issue tracking and project management. Canonical locations for source code are still https://gitweb.torproject.org/ https://git.torproject.org/ and git-rw.torproject.org.

Closed (moved)
Opened by Isis Lovecruft@isis

extra tor_free() for create_cell_t in command_process_create_cell()

In command_process_create_cell() (on master, as of commit da04fed865b6df09b33e6b632d51d34b3eb20d14)

     memset(&created_cell, 0, sizeof(created_cell));
     len = onion_skin_server_handshake(ONION_HANDSHAKE_TYPE_FAST,
                                       create_cell->onionskin,
                                       create_cell->handshake_len,
                                       NULL,
                                       created_cell.reply,
                                       keys, CPATH_KEY_MATERIAL_LEN,
                                       rend_circ_nonce);
     tor_free(create_cell);
     if (len < 0) {
       log_warn(LD_OR,"Failed to generate key material. Closing.");
       circuit_mark_for_close(TO_CIRCUIT(circ), END_CIRC_REASON_INTERNAL);
       tor_free(create_cell);
       return;
     }

Which is a double-free (somewhat dependent on what the PREDICT_LIKELY macro generates).

I haven't tested yet, but it might be possible to crash relays with this bug. We should probably patch this ASAP.

To upload designs, you'll need to enable LFS and have admin enable hashed storage. More information