GitLab

This is in git master and hasn't been released.

Here is how the bug is triggered. You download a descriptor of a valid HS. Then restart that HS (thus making the current descriptor obsolete) and retry right away to download the descriptor for that HS. The tor client stops with a segfault in malloc() (you sometime need couple of tries to trigger the issue).

Now I believe this is a memory corruption of some sort since during the git bisect, I was able to trigger bad free() and other segfaults with tor_memcmp() in some other non related functions with the same usecase. Bisect gave me this commit as the first bad commit:

commit ab9a0e340728abd96128da726f67b4ccca10ba52
Author: David Goulet <dgoulet@ev0ke.net>
Date:   Thu Jun 18 16:09:18 2015 -0400

    Add rend failure cache
[...]

That precise commit introduces a memory corruption somewhere somehow, I can't find it for now so I'm filling this ticket. Attached is a debug log (3.3M) of the issue being triggered. It's also quite easy to run tor in gdb and catch the issue.