commit 8de735f0681970ff688cb5e775dae812ed27aa62 Author: Suphanat Chunhapanya haxx.pop@gmail.com Date: Tue Jan 15 12:12:31 2019 +0700

hs-v3: fix use after free in client auth config

We accidentally use `auth` after freeing it in client_service_authorization_free. The way to solve it is to free after using it. --- src/feature/hs/hs_client.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/feature/hs/hs_client.c b/src/feature/hs/hs_client.c index 5fded92fe..e04f0cc0c 100644 --- a/src/feature/hs/hs_client.c +++ b/src/feature/hs/hs_client.c @@ -1637,17 +1637,17 @@ hs_config_client_authorization(const or_options_t *options, * as a key of global map in the future. */ if (hs_parse_address(auth->onion_address, &identity_pk, NULL, NULL) < 0) { - client_service_authorization_free(auth); log_warn(LD_REND, "The onion address "%s" is invalid in " "file %s", filename, auth->onion_address); + client_service_authorization_free(auth); continue; }

if (digest256map_get(auths, identity_pk.pubkey)) { - client_service_authorization_free(auth); log_warn(LD_REND, "Duplicate authorization for the same hidden " "service address %s.", safe_str_client(auth->onion_address)); + client_service_authorization_free(auth); goto end; }