From: Sebastian Hahn <sebastian@torproject.org>
Date: Mon, 9 Feb 2015 15:04:51 +0000 (+0100)
Subject: Avoid use-after-free of circ belonging to cancelled job
X-Git-Tag: tor-0.2.6.3-alpha~66
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=733751009058a8ff140c15ddd8b022da6a77afdd;p=thirdparty%2Ftor.git

Avoid use-after-free of circ belonging to cancelled job

This fixes a bug where we decide to free the circuit because it isn't on
any workqueue anymore, and then the job finishes and the circuit gets
freed again.

Fixes bug #14815, not in any released version of Tor.
---

diff --git a/src/or/cpuworker.c b/src/or/cpuworker.c
index 5e8b32d780..7fe2351979 100644
--- a/src/or/cpuworker.c
+++ b/src/or/cpuworker.c
@@ -556,8 +556,7 @@ cpuworker_cancel_circ_handshake(or_circuit_t *circ)
     tor_free(job);
     tor_assert(total_pending_tasks > 0);
     --total_pending_tasks;
+    circ->workqueue_entry = NULL;
   }
-
-  circ->workqueue_entry = NULL;
 }