From: Nick Mathewson <nickm@torproject.org>
Date: Mon, 11 Feb 2013 21:59:21 +0000 (-0500)
Subject: Avoid null-pointer deref in pathbias_is_new_circ_attempt
X-Git-Tag: tor-0.2.4.11-alpha~35
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=f3835bcb37b56478adab7bee312cda2344190b38;p=thirdparty%2Ftor.git

Avoid null-pointer deref in pathbias_is_new_circ_attempt

Coverity is worried about this (CID 980653).  It hasn't happened in
testing, but we might as well make sure it can't happen.
---

diff --git a/src/or/circuitbuild.c b/src/or/circuitbuild.c
index b9a4f89030..163afd3d29 100644
--- a/src/or/circuitbuild.c
+++ b/src/or/circuitbuild.c
@@ -1307,7 +1307,8 @@ pathbias_is_new_circ_attempt(origin_circuit_t *circ)
   /* cpath is a circular list. We want circs with more than one hop,
    * and the second hop must be waiting for keys still (it's just
    * about to get them). */
-  return circ->cpath->next != circ->cpath &&
+  return circ->cpath &&
+         circ->cpath->next != circ->cpath &&
          circ->cpath->next->state == CPATH_STATE_AWAITING_KEYS;
 #else
   /* If tagging attacks are no longer possible, we probably want to
@@ -1315,7 +1316,8 @@ pathbias_is_new_circ_attempt(origin_circuit_t *circ)
    * timing-based tagging is still more useful than per-hop failure.
    * In which case, we'd never want to use this.
    */
-  return circ->cpath->state == CPATH_STATE_AWAITING_KEYS;
+  return circ->cpath &&
+         circ->cpath->state == CPATH_STATE_AWAITING_KEYS;
 #endif
 }