Stop invoking undefined behaviour by using tor_free() on an unaligned pointer

... in get_interface_addresses_ioctl().

This pointer alignment issue exists on x86_64 macOS, but is unlikely to exist
elsewhere. (i386 macOS only requires 4-byte alignment, and other OSs have
8-byte ints.)

Fixes bug 24733; not in any released version of tor.

diff --git a/changes/bug24733 b/changes/bug24733
new file mode 100644 (file)
index 0000000..e333e4f
--- /dev/null
+++ b/changes/bug24733
@@ -0,0 +1,6 @@
+  o Minor bugfixes (code correctness):
+    - Stop invoking undefined behaviour by using tor_free() on an unaligned
+      pointer in get_interface_addresses_ioctl(). This pointer alignment issue
+      exists on x86_64 macOS, but is unlikely to exist elsewhere.
+      Fixes bug 24733; bugfix on 0.3.0.0-alpha-dev;
+      not in any released version of tor.

diff --git a/src/common/address.c b/src/common/address.c
index 0c0ba782ae18db9ced0c7ac6af1217b3b542daa8..ea14e639260ece21c7d7df1747c00a1f0470418c 100644 (file)
--- a/src/common/address.c
+++ b/src/common/address.c
@@ -1601,7 +1601,11 @@ get_interface_addresses_ioctl(int severity, sa_family_t family)
  done:
   if (fd >= 0)
     close(fd);
-  tor_free(ifc.ifc_buf);
+  /* On macOS, tor_free() loads ifc.ifc_buf, which leads to undefined
+   * behaviour, because it is always aligned at 8-bytes (ifc) plus 4 bytes
+   * (ifc_len and pragma pack(4)). So we use raw_free() instead. */
+  raw_free(ifc.ifc_buf);
+  ifc.ifc_buf = NULL;
   return result;
 }
 #endif /* defined(HAVE_IFCONF_TO_SMARTLIST) */