Malformed extendcircuit from a controller can crash Tor
If the controller is naughty and doesn't follow the control-spec.txt for EXTENDCIRCUIT, it can crash Tor. Tested with 0.1.1.23 and 0.1.2.1-alpha.
[edmanm@adrastea:~]$ telnet localhost 9051 Trying 127.0.0.1... Connected to localhost. Escape character is '!^]'. authenticate 250 OK extendcircuit 0 pasiphae thorforlife yargh Connection closed by foreign host.
Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_PROTECTION_FAILURE at address: 0x00000008 0x00029c78 in handle_control_extendcircuit (conn=0x1588160, len=20457776, body=0x4 <Address 0x4 out of bounds>) at control.c:1751 1751 if (get_purpose(smartlist_get(args,2), 1, &intended_purpose) < 0) { (gdb) bt #0 0x00029c78 in handle_control_extendcircuit (conn=0x1588160, len=20457776, body=0x4 <Address 0x4 out of bounds>) at control.c:1751 #1 0x0002d7cc in connection_control_process_inbuf_v1 (conn=0x1588160) at control.c:2417 legacy/trac#2 (closed) 0x0002e158 in connection_control_process_inbuf (conn=0x1588160) at control.c:2609 legacy/trac#3 (closed) 0x00020300 in connection_handle_read (conn=0x1588160) at connection.c:1313 legacy/trac#4 (closed) 0x00040bd4 in conn_read_callback (fd=25165824, event=1, _conn=0xbffff348) at main.c:405 legacy/trac#5 (closed) 0x00073ba0 in event_base_loop (base=0x500ac0, flags=0) at event.c:256 legacy/trac#6 (closed) 0x00040830 in tor_main (argc=591304, argv=0xbffff808) at main.c:1164 legacy/trac#7 (closed) 0x000019ec in _start (argc=3, argv=0xbffff808, envp=0xbffff818) at /SourceCache/Csu/Csu-57.0.82/crt.c:272 legacy/trac#8 (closed) 0x00001890 in start ()
[Automatically added by flyspray2trac: Operating System: All]