Fix a use-after-free in validate_intro_point_failure. Bug 17401. Found w valgrind

author Nick Mathewson <nickm@torproject.org>

Wed, 21 Oct 2015 13:59:19 +0000 (09:59 -0400)

committer Nick Mathewson <nickm@torproject.org>

Wed, 21 Oct 2015 13:59:19 +0000 (09:59 -0400)
author Nick Mathewson <nickm@torproject.org>
Wed, 21 Oct 2015 13:59:19 +0000 (09:59 -0400)
committer Nick Mathewson <nickm@torproject.org>
Wed, 21 Oct 2015 13:59:19 +0000 (09:59 -0400)
diff --git a/changes/bug17401 b/changes/bug17401

new file mode 100644 (file)

index 0000000..a22f79c
--- /dev/null
+++ b/changes/bug17401
@@ -0,0 +1,3 @@
+  o Major bugfixes (correctness):
+    - Fix a use-after-free bug in validate_intro_point_failure().
+      Fixes bug 17401; bugfix on 0.2.7.3-rc.
diff --git a/src/or/rendcache.c b/src/or/rendcache.c

index 542d322c79bda52f4b2860e1dd1f1043c926d8a8..df4f517807d8f0915cb4b6b4b751c583703fc31c 100644 (file)
--- a/src/or/rendcache.c
+++ b/src/or/rendcache.c
@@ -400,9 +400,10 @@ validate_intro_point_failure(const rend_service_descriptor_t *desc,
        /* This intro point is in our cache, discard it from the descriptor
         * because chances are that it's unusable. */
        SMARTLIST_DEL_CURRENT(desc->intro_nodes, intro);
-      rend_intro_point_free(intro);
        /* Keep it for our new entry. */
        digestmap_set(new_entry->intro_failures, (char *) identity, ent_dup);
+      /* Only free it when we're done looking at it. */
+      rend_intro_point_free(intro);
        continue;
      }
    } SMARTLIST_FOREACH_END(intro);
author	Nick Mathewson <nickm@torproject.org>
	Wed, 21 Oct 2015 13:59:19 +0000 (09:59 -0400)
committer	Nick Mathewson <nickm@torproject.org>
	Wed, 21 Oct 2015 13:59:19 +0000 (09:59 -0400)
changes/bug17401	[new file with mode: 0644]	patch \| blob
src/or/rendcache.c		patch \| blob \| blame \| history