From: Nick Mathewson Date: Fri, 19 Jul 2019 13:49:52 +0000 (-0400) Subject: Set 'routerlist' global to NULL before freeing it. X-Git-Tag: tor-0.4.1.4-rc~9^2^2 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=a9379d6750d025d8bfe54a79c26e89eb45393f3a;p=thirdparty%2Ftor.git Set 'routerlist' global to NULL before freeing it. There is other code that uses this value, and some of it is apparently reachable from inside router_dir_info_changed(), which routerlist_free() apparently calls. (ouch!) This is a minimal fix to try to resolve the issue without causing other problems. Fixes bug 31003. I'm calling this a bugfix on 0.1.2.2-alpha, where the call to router_dir_info_changed() was added to routerlist_free(). --- diff --git a/changes/bug31003 b/changes/bug31003 new file mode 100644 index 0000000000..6c75163380 --- /dev/null +++ b/changes/bug31003 @@ -0,0 +1,4 @@ + o Minor bugfixes (crash on exit): + - Avoid a set of possible code paths that could use try to use freed memory + in routerlist_free() while Tor was exiting. Fixes bug 31003; bugfix on + 0.1.2.2-alpha. diff --git a/src/feature/nodelist/routerlist.c b/src/feature/nodelist/routerlist.c index 4a99427cd6..61af09742d 100644 --- a/src/feature/nodelist/routerlist.c +++ b/src/feature/nodelist/routerlist.c @@ -954,20 +954,18 @@ routerlist_free_(routerlist_t *rl) smartlist_free(rl->routers); smartlist_free(rl->old_routers); if (rl->desc_store.mmap) { - int res = tor_munmap_file(routerlist->desc_store.mmap); + int res = tor_munmap_file(rl->desc_store.mmap); if (res != 0) { log_warn(LD_FS, "Failed to munmap routerlist->desc_store.mmap"); } } if (rl->extrainfo_store.mmap) { - int res = tor_munmap_file(routerlist->extrainfo_store.mmap); + int res = tor_munmap_file(rl->extrainfo_store.mmap); if (res != 0) { log_warn(LD_FS, "Failed to munmap routerlist->extrainfo_store.mmap"); } } tor_free(rl); - - router_dir_info_changed(); } /** Log information about how much memory is being used for routerlist, @@ -1426,8 +1424,10 @@ routerlist_reparse_old(routerlist_t *rl, signed_descriptor_t *sd) void routerlist_free_all(void) { - routerlist_free(routerlist); - routerlist = NULL; + routerlist_t *rl = routerlist; + routerlist = NULL; // Prevent internals of routerlist_free() from using + // routerlist. + routerlist_free(rl); dirlist_free_all(); if (warned_nicknames) { SMARTLIST_FOREACH(warned_nicknames, char *, cp, tor_free(cp));