commit d22d565331c7f8e02abb7720afd447c6b8760f21 Author: Roger Dingledine arma@torproject.org Date: Wed May 24 23:23:12 2017 -0400

add copy of MyFamily element to the descriptor, not the element itself

If we add the element itself, we will later free it when we free the descriptor, and the next time we go to look at MyFamily, things will go badly.

Fixes the rest of bug 22368; bugfix on 0.3.1.1-alpha. --- changes/bug22368 | 6 ++++++ src/or/router.c | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/changes/bug22368 b/changes/bug22368 new file mode 100644 index 0000000..eb445d0 --- /dev/null +++ b/changes/bug22368 @@ -0,0 +1,6 @@ + o Major bugfixes: + - Relays that set MyFamily no longer free the elements of + options->MyFamily while making their descriptor. They tried to + access the freed elements, and then double-free them, when making + the next descriptor or when changing the config. Fixes bug 22368; + bugfix on 0.3.1.1-alpha. diff --git a/src/or/router.c b/src/or/router.c index b43742a..f2741b7 100644 --- a/src/or/router.c +++ b/src/or/router.c @@ -2308,7 +2308,7 @@ router_build_fresh_descriptor(routerinfo_t **r, extrainfo_t **e) smartlist_add_strdup(warned_nonexistent_family, name); } if (is_legal) { - smartlist_add(ri->declared_family, name); + smartlist_add_strdup(ri->declared_family, name); name = NULL; } } else if (router_digest_is_me(member->identity)) {