commit 2e0a50abf415297a3e0e10c4147f738d3458c373 Author: Isis Lovecruft isis@torproject.org Date: Sun Aug 16 00:49:03 2015 +0000
Remove redundant tor_free() in command_process_create_cell().
* FIXES #16823: https://bugs.torproject.org/16823 If an OP were to send a CREATE_FAST cell to an OR, and that CREATE_FAST cell had unparseable key material, then tor_free() would be called on the create cell twice. This fix removes the second (conditional on the key material being bad) call to tor_free(), so that now the create cell is always freed once, regardless of the status of the key material.
(This isn't actually a double-free bug, since tor_free() sets its input to NULL, and has no effect when called with input NULL.) --- src/or/command.c | 1 - 1 file changed, 1 deletion(-)
diff --git a/src/or/command.c b/src/or/command.c index 719b107..af6e053 100644 --- a/src/or/command.c +++ b/src/or/command.c @@ -340,7 +340,6 @@ command_process_create_cell(cell_t *cell, channel_t *chan) if (len < 0) { log_warn(LD_OR,"Failed to generate key material. Closing."); circuit_mark_for_close(TO_CIRCUIT(circ), END_CIRC_REASON_INTERNAL); - tor_free(create_cell); return; } created_cell.cell_type = CELL_CREATED_FAST;
tor-commits@lists.torproject.org