Clear outbuf_flushlen when we clear a connection's outbuf

When we added single_conn_free_bytes(), we cleared the outbuf on a
connection without setting outbuf_flushlen() to 0.  This could cause
an assertion failure later on in flush_buf().

Fixes bug 23690; bugfix on 0.2.6.1-alpha.

diff --git a/changes/bug23690 b/changes/bug23690
new file mode 100644 (file)
index 0000000..36ff32e
--- /dev/null
+++ b/changes/bug23690
@@ -0,0 +1,5 @@
+  o Major bugfixes (relay, crash, assertion failure):
+    - Fix a timing-based assertion failure that could occur when the
+      circuit out-of-memory handler freed a connection's output buffer.
+      Fixes bug 23690; bugfix on 0.2.6.1-alpha.
+

diff --git a/src/or/circuitlist.c b/src/or/circuitlist.c
index d7dbfe574421c13135420748199a4be6c99112b3..b71048590850368783e9833a41be66dffb58a45d 100644 (file)
--- a/src/or/circuitlist.c
+++ b/src/or/circuitlist.c
@@ -1939,6 +1939,7 @@ single_conn_free_bytes(connection_t *conn)
   if (conn->outbuf) {
     result += buf_allocation(conn->outbuf);
     buf_clear(conn->outbuf);
+    conn->outbuf_flushlen = 0;
   }
   if (conn->type == CONN_TYPE_DIR) {
     dir_connection_t *dir_conn = TO_DIR_CONN(conn);