use after free crash after "eventdns rejected address [scrubbed]"
Running multiple tor nodes, they crash multiple times per day. The only thing in the logfile is:
Sep 27 12:08:34.784 [warn] eventdns rejected address [scrubbed]
I enabled debugging and MALLOC_OPTIONS on OpenBSD and got the following:
Sep 27 12:08:34.783 [debug] int connection_edge_process_relay_cell(cell_t *, circuit_t *, edge_connection_t *, crypt_path_t *)(): circ-level sendme at non-o , packagewindow 526. Sep 27 12:08:34.783 [debug] void circuit_resume_edge_reading(circuit_t *, crypt_path_t *)(): resuming Sep 27 12:08:34.783 [debug] int connection_or_process_cells_from_inbuf(or_connection_t *)(): 53: starting, inbuf_datalen 0 (0 pending in tls object). Sep 27 12:08:34.783 [debug] void conn_write_callback(int, short, void *)(): socket 1117 wants to write. Sep 27 12:08:34.784 [debug] int flush_chunk_tls(tor_tls_t *, buf_t *, chunk_t *, size_t, size_t *)(): flushed 512 bytes, 0 ready to flush, 0 remain. Sep 27 12:08:34.784 [debug] int connection_handle_write_impl(connection_t *, int)(): After TLS write of 512: 0 read, 586 written Sep 27 12:08:34.784 [debug] int connection_or_flush_from_first_active_circuit(or_connection_t *, int, time_t)(): Made a circuit inactive. Sep 27 12:08:34.784 [debug] void conn_read_callback(int, short, void *)(): socket 53 wants to read. Sep 27 12:08:34.784 [debug] int connection_read_to_buf(connection_t *, ssize_t *, int *)(): 53: starting, inbuf_datalen 0 (0 pending in tls object). at_most 4. Sep 27 12:08:34.784 [debug] int connection_read_to_buf(connection_t *, ssize_t *, int *)(): After TLS read of 512: 549 read, 0 written Sep 27 12:08:34.784 [debug] int connection_or_process_cells_from_inbuf(or_connection_t *)(): 53: starting, inbuf_datalen 512 (0 pending in tls object). Sep 27 12:08:34.784 [debug] int circuit_receive_relay_cell(cell_t *, circuit_t *, cell_direction_t)(): Sending away from origin. Sep 27 12:08:34.784 [debug] int connection_edge_process_relay_cell(cell_t *, circuit_t *, edge_connection_t *, crypt_path_t *)(): Now seen 33189527 relay ce ere (command 1, stream 39854). Sep 27 12:08:34.784 [debug] int connection_exit_begin_conn(cell_t *, circuit_t *)(): Creating new exit connection. Sep 27 12:08:34.784 [debug] int connection_exit_begin_conn(cell_t *, circuit_t *)(): about to start the dns_resolve(). Sep 27 12:08:34.784 [debug] int dns_resolve_impl(edge_connection_t *, int, or_circuit_t *, char **)(): Launching [scrubbed]. Sep 27 12:08:34.784 [info] int launch_resolve(edge_connection_t *)(): Launching eventdns request for [scrubbed] Sep 27 12:08:34.784 [info] eventdns: Resolve requested. Sep 27 12:08:34.784 [warn] eventdns rejected address [scrubbed]. Sep 27 12:08:34.784 [debug] void dns_cancel_pending_resolve(const char *)(): Failing all connections waiting on DNS resolve of [scrubbed] Sep 27 12:08:34.784 [debug] int connection_edge_end(edge_connection_t *, uint8_t)(): No circ to send end on conn (fd -1). Sep 27 12:08:34.784 [debug] int relay_send_command_from_edge(streamid_t, circuit_t *, uint8_t, const char *, size_t, crypt_path_t *)(): delivering 3 cell ba d. Sep 27 12:08:34.784 [debug] void append_cell_to_circuit_queue(circuit_t *, or_connection_t *, cell_t *, cell_direction_t, streamid_t)(): Made a circuit acti Sep 27 12:08:34.784 [debug] void append_cell_to_circuit_queue(circuit_t *, or_connection_t *, cell_t *, cell_direction_t, streamid_t)(): Primed a buffer. Sep 27 12:08:34.784 [debug] int connection_or_flush_from_first_active_circuit(or_connection_t *, int, time_t)(): Made a circuit inactive. Sep 27 12:08:34.784 [debug] int connection_or_process_cells_from_inbuf(or_connection_t *)(): 53: starting, inbuf_datalen 0 (0 pending in tls object). Sep 27 12:08:34.784 [debug] void conn_write_callback(int, short, void *)(): socket 1117 wants to write. tor in free(): error: chunk is already free 0x202974900 Abort trap
I do not have a core.
Trac:
Username: dhill