[tor-commits] [tor/master] Fix a double-free that would occur on an invalid cert in a CERTS cell

[nickm at torproject.org]

commit c2a098e9800edb27d6a3630337e0efa72dfa7ba2
Author: Nick Mathewson <nickm at torproject.org>
Date:   Fri Oct 28 16:38:56 2011 -0400

    Fix a double-free that would occur on an invalid cert in a CERTS cell
    
    We would stash the certs in the handshake state before checking them
    for validity... and then if they turned out to be invalid, we'd give
    an error and free them.  Then, later, we'd free them again when we
    tore down the connection.
    
    Fixes bug 4343; fix on 0.2.3.6-alpha.
---
 changes/bug4343  |    5 +++++
 src/or/command.c |    4 ++--
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/changes/bug4343 b/changes/bug4343
new file mode 100644
index 0000000..cee272b
--- /dev/null
+++ b/changes/bug4343
@@ -0,0 +1,5 @@
+  o Major bugfixes:
+    - Fix a double-free bug that would occur when we received an invalid
+      certificate in a CERT cell in the new v3 handshake. Fixes bug 4343;
+      bugfix on 0.2.3.6-alpha.
+
diff --git a/src/or/command.c b/src/or/command.c
index d35e2a9..aa5a62d 100644
--- a/src/or/command.c
+++ b/src/or/command.c
@@ -1020,8 +1020,6 @@ command_process_cert_cell(var_cell_t *cell, or_connection_t *conn)
       ERR("The certs we wanted were missing");
 
     /* Remember these certificates so we can check an AUTHENTICATE cell */
-    conn->handshake_state->id_cert = id_cert;
-    conn->handshake_state->auth_cert = auth_cert;
     if (! tor_tls_cert_is_valid(auth_cert, id_cert, 1))
       ERR("The authentication certificate was not valid");
     if (! tor_tls_cert_is_valid(id_cert, id_cert, 1))
@@ -1032,6 +1030,8 @@ command_process_cert_cell(var_cell_t *cell, or_connection_t *conn)
              safe_str(conn->_base.address), conn->_base.port);
     /* XXXX check more stuff? */
 
+    conn->handshake_state->id_cert = id_cert;
+    conn->handshake_state->auth_cert = auth_cert;
     id_cert = auth_cert = NULL;
   }