commit 5b2070198a9fa7d19f50ba165dc6ff274ffe073a Author: Nick Mathewson nickm@torproject.org Date: Wed Oct 21 09:59:19 2015 -0400
Fix a use-after-free in validate_intro_point_failure. Bug 17401. Found w valgrind --- changes/bug17401 | 3 +++ src/or/rendcache.c | 3 ++- 2 files changed, 5 insertions(+), 1 deletion(-)
diff --git a/changes/bug17401 b/changes/bug17401 new file mode 100644 index 0000000..a22f79c --- /dev/null +++ b/changes/bug17401 @@ -0,0 +1,3 @@ + o Major bugfixes (correctness): + - Fix a use-after-free bug in validate_intro_point_failure(). + Fixes bug 17401; bugfix on 0.2.7.3-rc. diff --git a/src/or/rendcache.c b/src/or/rendcache.c index 542d322..df4f517 100644 --- a/src/or/rendcache.c +++ b/src/or/rendcache.c @@ -400,9 +400,10 @@ validate_intro_point_failure(const rend_service_descriptor_t *desc, /* This intro point is in our cache, discard it from the descriptor * because chances are that it's unusable. */ SMARTLIST_DEL_CURRENT(desc->intro_nodes, intro); - rend_intro_point_free(intro); /* Keep it for our new entry. */ digestmap_set(new_entry->intro_failures, (char *) identity, ent_dup); + /* Only free it when we're done looking at it. */ + rend_intro_point_free(intro); continue; } } SMARTLIST_FOREACH_END(intro);