#20103: Crash on OpenBSD: tor invoked from Tor Browser 6.0.4
 Reporter:  attila                       |          Owner:
     Type:  defect                       |         Status:  new
 Priority:  High                         |      Milestone:  Tor:
                                         |  0.2.9.x-final
Component:  Core Tor/Tor                 |        Version:  Tor:
 Severity:  Normal                       |     Resolution:
 Keywords:  bug regression 028-backport  |  Actual Points:
Parent ID:                               |         Points:
 Reviewer:                               |        Sponsor:

Comment (by rubiate):

 Did some more digging.

 What's up with the consensus when using the .20 relay (NYCBUG0) as a

     network-status-version 3 microdesc\nvote-status consensus\nconsensus-
 method 20\nvalid-after 2016-09-08 19:00:00\nfresh-until '''2016-09-08'''
 20:00:00\nvalid-until '''2016-09-08''' 22:00:00

 Tor says the clock is fine:

     [debug] connection_dir_client_reached_eof(): Time on received
 directory is within tolerance; we are -2 seconds skewed.  (That's okay.)
     [info] connection_dir_client_reached_eof(): Received consensus
 directory (size 1404160) from server ''

 Whatever the cause, I think this is what is exposing the bug.

 Before the crash happens, `networkstatus_vote_free(current_md_consensus)`
 on src/or/networkstatus.c:1753 is reached. This calls
 `routerstatus_free(rs)` (src/or/networkstatus.c:319) on everything in the
 routerlist. I added some logging to see what it's doing:

     [... bajillion lines trimmed...]
     routerstatus_free: 0x167ecf8fa700
     routerstatus_free: 0x167e5e425e00
     '''routerstatus_free: 0x167ecf8fab00'''
     routerstatus_free: 0x167e91b76a00
     routerstatus_free: 0x167ecf8fa100
     [...bajillion lines trimmed...]
     Segmentation fault (core dumped)

     $ gdb tor/src/or/tor tor.core
     (gdb) up 2
     (gdb) print *node->rs
     $1 = (routerstatus_t *) 0x167ecf8fab00

 I'm hoping that NYCBUG relay stays broken for now so I can investigate
 further, and hopefully figure out why this seems to only happen on

 And well done to atilla on having the specific config to trigger this :-)

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/20103#comment:10>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
tor-bugs mailing list

Reply via email to