From: George Kadianakis Date: Wed, 5 Jun 2019 15:19:23 +0000 (+0300) Subject: Don't access rend data after a circuit has been marked for close. X-Git-Tag: tor-0.4.1.2-alpha~5 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=917e4e9eae8645e65ea93836cbd82890eb5d7872;p=thirdparty%2Ftor.git Don't access rend data after a circuit has been marked for close. This can cause issues if the circuit was repurposed into a padding circuit instead of closing, since in that case we will wipe off the rend_data. --- diff --git a/src/feature/rend/rendclient.c b/src/feature/rend/rendclient.c index f84d221b1a..5bdd4d453e 100644 --- a/src/feature/rend/rendclient.c +++ b/src/feature/rend/rendclient.c @@ -403,14 +403,23 @@ rend_client_introduction_acked(origin_circuit_t *circ, } else { log_info(LD_REND,"...Found no rend circ. Dropping on the floor."); } + /* Save the rend data digest to a temporary object so that we don't access + * it after we mark the circuit for close. */ + const uint8_t *rend_digest_tmp = NULL; + size_t digest_len; + uint8_t *cached_rend_digest = NULL; + rend_digest_tmp = rend_data_get_pk_digest(circ->rend_data, &digest_len); + cached_rend_digest = tor_malloc_zero(digest_len); + memcpy(cached_rend_digest, rend_digest_tmp, digest_len); + /* close the circuit: we won't need it anymore. */ circuit_change_purpose(TO_CIRCUIT(circ), CIRCUIT_PURPOSE_C_INTRODUCE_ACKED); circuit_mark_for_close(TO_CIRCUIT(circ), END_CIRC_REASON_FINISHED); /* close any other intros launched in parallel */ - rend_client_close_other_intros(rend_data_get_pk_digest(circ->rend_data, - NULL)); + rend_client_close_other_intros(cached_rend_digest); + tor_free(cached_rend_digest); /* free the temporary digest */ } else { /* It's a NAK; the introduction point didn't relay our request. */ circuit_change_purpose(TO_CIRCUIT(circ), CIRCUIT_PURPOSE_C_INTRODUCING);