Free rend_data and intro_key when extra intro circs become general-purpose

diff --git a/changes/bug4251 b/changes/bug4251
new file mode 100644 (file)
index 0000000..303c9e6
--- /dev/null
+++ b/changes/bug4251
@@ -0,0 +1,8 @@
+  o Minor bugfixes:
+
+    - When a hidden service turns an extra service-side introduction
+      circuit into a general-purpose circuit, free the rend_data and
+      intro_key fields first, so they won't be leaked if the circuit
+      is cannibalized for use as another service-side introduction
+      circuit.  Bugfix on 0.2.1.7-alpha; fixes bug 4251.
+

diff --git a/src/or/rendservice.c b/src/or/rendservice.c
index 6ed9650fc161ec43bfd60b350d99f1a33d9fee6d..0f5731912d83d42ba2f76e987184faf05e8ac48d 100644 (file)
--- a/src/or/rendservice.c
+++ b/src/or/rendservice.c
@@ -1421,7 +1421,20 @@ rend_service_intro_has_opened(origin_circuit_t *circuit)
       log_info(LD_CIRC|LD_REND, "We have just finished an introduction "
                "circuit, but we already have enough. Redefining purpose to "
                "general; leaving as internal.");
+
       TO_CIRCUIT(circuit)->purpose = CIRCUIT_PURPOSE_C_GENERAL;
+
+      {
+        rend_data_t *rend_data = circuit->rend_data;
+        circuit->rend_data = NULL;
+        rend_data_free(rend_data);
+      }
+      {
+        crypto_pk_env_t *intro_key = circuit->intro_key;
+        circuit->intro_key = NULL;
+        crypto_free_pk_env(intro_key);
+      }
+
       circuit_has_opened(circuit);
       return;
     }