SIGSEGV in directory_initiate_command_routerstatus()
In git revision 7a99d26c, one of router_pick_directory_server(), router_pick_trusteddirserver() or router_pick_fallback_dirserver() a bogus pointer to routerstatus_t with value 0x101; directory_initiate_command_routerstatus() uses it and ultimately this leads to a SIGSEGV in node_get_by_id(). Stack trace is:
(gdb) bt #0 0x00007ffff6a660d0 in __memcpy_ssse3 () from /lib64/libc.so.6 #1 0x0000000000417c92 in node_get_mutable_by_id (identity_digest=0x11d <Address 0x11d out of bounds>) at src/or/nodelist.c:86 legacy/trac#2 (closed) 0x0000000000417cce in node_get_by_id (identity_digest=0x11d <Address 0x11d out of bounds>) at src/or/nodelist.c:96 legacy/trac#3 (closed) 0x00000000004ec5df in directory_initiate_command_routerstatus_rend (status=0x101, dir_purpose=19 '\023', router_purpose=0 '\000', indirection=DIRIND_ONEHOP, resource=0x19602f0 "d/RxIpu2VOF0FTdsgiccXyUps4lCJD/O0jvCDY8elnlv8-RzVVl5rSA9iSAK7ZCuMePyhE5SaMyGi8olZ5InK+uoQ-R0Pmy59ZRW0IKG6bkqWCrU1YClTN/05D5gMnXa4u/Ns-R0wkmK8kLTPW8DCdofiu66GNeDa5YGNqPp4b2ApZN+s-R1+MPxgA72EE2UmVUnUlU2"..., payload=0x0, payload_len=0, if_modified_since=0, rend_query=0x0) at src/or/directory.c:571 legacy/trac#4 (closed) 0x00000000004ec823 in directory_initiate_command_routerstatus (status=0x101, dir_purpose=19 '\023', router_purpose=0 '\000', indirection=DIRIND_ONEHOP, resource=0x19602f0 "d/RxIpu2VOF0FTdsgiccXyUps4lCJD/O0jvCDY8elnlv8-RzVVl5rSA9iSAK7ZCuMePyhE5SaMyGi8olZ5InK+uoQ-R0Pmy59ZRW0IKG6bkqWCrU1YClTN/05D5gMnXa4u/Ns-R0wkmK8kLTPW8DCdofiu66GNeDa5YGNqPp4b2ApZN+s-R1+MPxgA72EE2UmVUnUlU2"..., payload=0x0, payload_len=0, if_modified_since=0) at src/or/directory.c:631 legacy/trac#5 (closed) 0x00000000004ec392 in directory_get_from_dirserver (dir_purpose=19 '\023', router_purpose=0 '\000', resource=0x19602f0 "d/RxIpu2VOF0FTdsgiccXyUps4lCJD/O0jvCDY8elnlv8-RzVVl5rSA9iSAK7ZCuMePyhE5SaMyGi8olZ5InK+uoQ-R0Pmy59ZRW0IKG6bkqWCrU1YClTN/05D5gMnXa4u/Ns-R0wkmK8kLTPW8DCdofiu66GNeDa5YGNqPp4b2ApZN+s-R1+MPxgA72EE2UmVUnUlU2"..., pds_flags=18) at src/or/directory.c:502 legacy/trac#6 (closed) 0x0000000000457e66 in initiate_descriptor_downloads (source=0x0, purpose=19, digests=0x13ad3a0, lo=828, hi=920, pds_flags=18) at src/or/routerlist.c:4120 legacy/trac#7 (closed) 0x00000000004581c3 in launch_descriptor_downloads (purpose=19, downloadable=0x13ad3a0, source=0x0, now=1355881851) at src/or/routerlist.c:4239 legacy/trac#8 (closed) 0x00000000004107d8 in update_microdesc_downloads (now=1355881851) at src/or/microdesc.c:694 legacy/trac#9 (closed) 0x00000000004f1332 in connection_dir_client_reached_eof (conn=0x1469c60) at src/or/directory.c:1833 legacy/trac#10 (closed) 0x00000000004f3000 in connection_dir_reached_eof (conn=0x1469c60) at src/or/directory.c:2257 legacy/trac#11 (closed) 0x00000000004cbfbb in connection_reached_eof (conn=0x1469c60) at src/or/connection.c:4071 legacy/trac#12 (closed) 0x00000000004c95ee in connection_handle_read_impl (conn=0x1469c60) at src/or/connection.c:2847 legacy/trac#13 (closed) 0x00000000004c9624 in connection_handle_read (conn=0x1469c60) at src/or/connection.c:2860 legacy/trac#14 (closed) 0x000000000040a22f in conn_read_callback (fd=20, event=2, _conn=0x1469c60) at src/or/main.c:722 legacy/trac#15 (closed) 0x00007ffff772f930 in event_process_active (base=0x7e3c70, flags=) at event.c:395 legacy/trac#16 (closed) event_base_loop (base=0x7e3c70, flags=) at event.c:547 legacy/trac#17 (closed) 0x000000000040cc37 in do_main_loop () at src/or/main.c:1989 legacy/trac#18 (closed) 0x000000000040e1f7 in tor_main (argc=3, argv=0x7fffffffe668) at src/or/main.c:2701 legacy/trac#19 (closed) 0x0000000000408804 in main (argc=3, argv=0x7fffffffe668) at src/or/tor_main.c:30
Some other detail:
(gdb) frame 3 legacy/trac#3 (closed) 0x00000000004ec5df in directory_initiate_command_routerstatus_rend (status=0x101, dir_purpose=19 '\023', router_purpose=0 '\000', indirection=DIRIND_ONEHOP, resource=0x19602f0 "d/RxIpu2VOF0FTdsgiccXyUps4lCJD/O0jvCDY8elnlv8-RzVVl5rSA9iSAK7ZCuMePyhE5SaMyGi8olZ5InK+uoQ-R0Pmy5 9ZRW0IKG6bkqWCrU1YClTN/05D5gMnXa4u/Ns-R0wkmK8kLTPW8DCdofiu66GNeDa5YGNqPp4b2ApZN+s-R1+MPxgA72EE2UmVUnUlU2"..., payload=0x0, payload_len=0, if_modified_since=0, rend_query=0x0) at src/or/directory.c:571 571 node = node_get_by_id(status->identity_digest); (gdb) print status $1 = (const routerstatus_t *) 0x101 (gdb) frame 4 legacy/trac#4 (closed) 0x00000000004ec823 in directory_initiate_command_routerstatus (status=0x101, dir_purpose=19 '\023', router_purpose=0 '\000', indirection=DIRIND_ONEHOP, resource=0x19602f0 "d/RxIpu2VOF0FTdsgiccXyUps4lCJD/O0jvCDY8elnlv8-RzVVl5rSA9iSAK7ZCuMePyhE5SaMyGi8olZ5InK+uoQ-R0Pmy5 9ZRW0IKG6bkqWCrU1YClTN/05D5gMnXa4u/Ns-R0wkmK8kLTPW8DCdofiu66GNeDa5YGNqPp4b2ApZN+s-R1+MPxgA72EE2UmVUnUlU2"..., payload=0x0, payload_len=0, if_modified_since=0) at src/or/directory.c:631 631 directory_initiate_command_routerstatus_rend(status, dir_purpose, (gdb) print status $2 = (const routerstatus_t *) 0x101 (gdb) frame 5 legacy/trac#5 (closed) 0x00000000004ec392 in directory_get_from_dirserver (dir_purpose=19 '\023', router_purpose=0 '\000', resource=0x19602f0 "d/RxIpu2VOF0FTdsgiccXyUps4lCJD/O0jvCDY8elnlv8-RzVVl5rSA9iSAK7ZCuMePyhE5SaMyGi8olZ5InK+uoQ-R0Pmy5 9ZRW0IKG6bkqWCrU1YClTN/05D5gMnXa4u/Ns-R0wkmK8kLTPW8DCdofiu66GNeDa5YGNqPp4b2ApZN+s-R1+MPxgA72EE2UmVUnUlU2"..., pds_flags=18) at src/or/directory.c:502 502 directory_initiate_command_routerstatus(rs, dir_purpose, (gdb) print rs $3 = (const routerstatus_t *) 0x101