From: Nick Mathewson Date: Fri, 28 Oct 2011 20:38:56 +0000 (-0400) Subject: Fix a double-free that would occur on an invalid cert in a CERTS cell X-Git-Tag: tor-0.2.3.7-alpha~6^2~1 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=c2a098e9800edb27d6a3630337e0efa72dfa7ba2;p=thirdparty%2Ftor.git Fix a double-free that would occur on an invalid cert in a CERTS cell We would stash the certs in the handshake state before checking them for validity... and then if they turned out to be invalid, we'd give an error and free them. Then, later, we'd free them again when we tore down the connection. Fixes bug 4343; fix on 0.2.3.6-alpha. --- diff --git a/changes/bug4343 b/changes/bug4343 new file mode 100644 index 0000000000..cee272b976 --- /dev/null +++ b/changes/bug4343 @@ -0,0 +1,5 @@ + o Major bugfixes: + - Fix a double-free bug that would occur when we received an invalid + certificate in a CERT cell in the new v3 handshake. Fixes bug 4343; + bugfix on 0.2.3.6-alpha. + diff --git a/src/or/command.c b/src/or/command.c index d35e2a9c80..aa5a62d54c 100644 --- a/src/or/command.c +++ b/src/or/command.c @@ -1020,8 +1020,6 @@ command_process_cert_cell(var_cell_t *cell, or_connection_t *conn) ERR("The certs we wanted were missing"); /* Remember these certificates so we can check an AUTHENTICATE cell */ - conn->handshake_state->id_cert = id_cert; - conn->handshake_state->auth_cert = auth_cert; if (! tor_tls_cert_is_valid(auth_cert, id_cert, 1)) ERR("The authentication certificate was not valid"); if (! tor_tls_cert_is_valid(id_cert, id_cert, 1)) @@ -1032,6 +1030,8 @@ command_process_cert_cell(var_cell_t *cell, or_connection_t *conn) safe_str(conn->_base.address), conn->_base.port); /* XXXX check more stuff? */ + conn->handshake_state->id_cert = id_cert; + conn->handshake_state->auth_cert = auth_cert; id_cert = auth_cert = NULL; }