From 542cc8a5fff7b566cb44185e1fb6aae8ff469a16 Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Wed, 21 Oct 2015 08:17:07 -0400 Subject: [PATCH 1/5] Fix a memory leak; bug 17398. --- changes/bug17398 | 3 +++ src/common/crypto_ed25519.c | 1 + 2 files changed, 4 insertions(+) create mode 100644 changes/bug17398 diff --git a/changes/bug17398 b/changes/bug17398 new file mode 100644 index 000000000..66e27a696 --- /dev/null +++ b/changes/bug17398 @@ -0,0 +1,3 @@ + o Minor bugfixes (memory leaks): + - Fix a memory leak in ed25519 batch signature checking. + Fixes bug 17398; bugfix on 0.2.6.1-alpha. diff --git a/src/common/crypto_ed25519.c b/src/common/crypto_ed25519.c index 7e995f461..1749efc34 100644 --- a/src/common/crypto_ed25519.c +++ b/src/common/crypto_ed25519.c @@ -260,6 +260,7 @@ ed25519_checksig_batch(int *okay_out, tor_free(ms); tor_free(lens); tor_free(pks); + tor_free(sigs); if (! okay_out) tor_free(oks); } From 5b2070198a9fa7d19f50ba165dc6ff274ffe073a Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Wed, 21 Oct 2015 09:59:19 -0400 Subject: [PATCH 2/5] Fix a use-after-free in validate_intro_point_failure. Bug 17401. Found w valgrind --- changes/bug17401 | 3 +++ src/or/rendcache.c | 3 ++- 2 files changed, 5 insertions(+), 1 deletion(-) create mode 100644 changes/bug17401 diff --git a/changes/bug17401 b/changes/bug17401 new file mode 100644 index 000000000..a22f79c43 --- /dev/null +++ b/changes/bug17401 @@ -0,0 +1,3 @@ + o Major bugfixes (correctness): + - Fix a use-after-free bug in validate_intro_point_failure(). + Fixes bug 17401; bugfix on 0.2.7.3-rc. diff --git a/src/or/rendcache.c b/src/or/rendcache.c index 542d322c7..df4f51780 100644 --- a/src/or/rendcache.c +++ b/src/or/rendcache.c @@ -400,9 +400,10 @@ validate_intro_point_failure(const rend_service_descriptor_t *desc, /* This intro point is in our cache, discard it from the descriptor * because chances are that it's unusable. */ SMARTLIST_DEL_CURRENT(desc->intro_nodes, intro); - rend_intro_point_free(intro); /* Keep it for our new entry. */ digestmap_set(new_entry->intro_failures, (char *) identity, ent_dup); + /* Only free it when we're done looking at it. */ + rend_intro_point_free(intro); continue; } } SMARTLIST_FOREACH_END(intro); From 03eb999d42a582bece2063fc06f34fad72e05be5 Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Wed, 21 Oct 2015 10:27:19 -0400 Subject: [PATCH 3/5] Fix an (unreachable) memory leak in rendcache.c The 0.2.8 unit tests provoke this leak, though I don't think it can happen IRL. --- src/or/rendcache.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/src/or/rendcache.c b/src/or/rendcache.c index df4f51780..4a12b08c1 100644 --- a/src/or/rendcache.c +++ b/src/or/rendcache.c @@ -353,7 +353,7 @@ cache_failure_intro_add(const uint8_t *identity, const char *service_id, rend_intro_point_failure_t failure) { rend_cache_failure_t *fail_entry; - rend_cache_failure_intro_t *entry; + rend_cache_failure_intro_t *entry, *old_entry; /* Make sure we have a failure object for this service ID and if not, * create it with this new intro failure entry. */ @@ -364,7 +364,10 @@ cache_failure_intro_add(const uint8_t *identity, const char *service_id, strmap_set_lc(rend_cache_failure, service_id, fail_entry); } entry = rend_cache_failure_intro_entry_new(failure); - digestmap_set(fail_entry->intro_failures, (char *) identity, entry); + old_entry = digestmap_set(fail_entry->intro_failures, + (char *) identity, entry); + /* This _should_ be NULL, but in case it isn't, free it. */ + rend_cache_failure_intro_entry_free(old_entry); } /** Using a parsed descriptor desc, check if the introduction points From aa96abe66b7ac507e927d4cfe37d78eaf754179e Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Wed, 21 Oct 2015 10:52:57 -0400 Subject: [PATCH 4/5] Fix memory leak in rend_cache_failure_entry_free() Bug 17402. --- changes/bug17402 | 3 +++ src/or/rendcache.c | 14 +++++++++----- 2 files changed, 12 insertions(+), 5 deletions(-) create mode 100644 changes/bug17402 diff --git a/changes/bug17402 b/changes/bug17402 new file mode 100644 index 000000000..4760e00b0 --- /dev/null +++ b/changes/bug17402 @@ -0,0 +1,3 @@ + o Major bugfixes (memory leak): + - Fix a memory leak in rend_cache_failure_entry_free(). + Fixes bug 17402; bugfix on 0.2.7.3-rc. diff --git a/src/or/rendcache.c b/src/or/rendcache.c index 4a12b08c1..93f444019 100644 --- a/src/or/rendcache.c +++ b/src/or/rendcache.c @@ -122,6 +122,12 @@ rend_cache_failure_intro_entry_free(rend_cache_failure_intro_t *entry) tor_free(entry); } +static void +rend_cache_failure_intro_entry_free_(void *entry) +{ + rend_cache_failure_intro_entry_free_(entry); +} + /** Allocate a rend cache failure intro object and return it. failure * is set into the object. This function can not fail. */ static rend_cache_failure_intro_t * @@ -142,11 +148,9 @@ rend_cache_failure_entry_free(rend_cache_failure_t *entry) } /* Free and remove every intro failure object. */ - DIGESTMAP_FOREACH_MODIFY(entry->intro_failures, key, - rend_cache_failure_intro_t *, e) { - rend_cache_failure_intro_entry_free(e); - MAP_DEL_CURRENT(key); - } DIGESTMAP_FOREACH_END; + digestmap_free(entry->intro_failures, + rend_cache_failure_intro_entry_free_); + tor_free(entry); } From 5d45a26f39816c17459a3c71617cddcd3d19cea6 Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Wed, 21 Oct 2015 10:56:27 -0400 Subject: [PATCH 5/5] Whoops; infinite recursion --- src/or/rendcache.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/or/rendcache.c b/src/or/rendcache.c index 93f444019..d4bdd6869 100644 --- a/src/or/rendcache.c +++ b/src/or/rendcache.c @@ -125,7 +125,7 @@ rend_cache_failure_intro_entry_free(rend_cache_failure_intro_t *entry) static void rend_cache_failure_intro_entry_free_(void *entry) { - rend_cache_failure_intro_entry_free_(entry); + rend_cache_failure_intro_entry_free(entry); } /** Allocate a rend cache failure intro object and return it. failure