commit 733751009058a8ff140c15ddd8b022da6a77afdd Author: Sebastian Hahn <sebastian@torproject.org> Date: Mon Feb 9 16:04:51 2015 +0100 Avoid use-after-free of circ belonging to cancelled job This fixes a bug where we decide to free the circuit because it isn't on any workqueue anymore, and then the job finishes and the circuit gets freed again. Fixes bug #14815, not in any released version of Tor. --- src/or/cpuworker.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/or/cpuworker.c b/src/or/cpuworker.c index 5e8b32d..7fe2351 100644 --- a/src/or/cpuworker.c +++ b/src/or/cpuworker.c @@ -556,8 +556,7 @@ cpuworker_cancel_circ_handshake(or_circuit_t *circ) tor_free(job); tor_assert(total_pending_tasks > 0); --total_pending_tasks; + circ->workqueue_entry = NULL; } - - circ->workqueue_entry = NULL; }