[tor-commits] [tor/maint-0.3.5] hs-v3: fix use after free in client auth config

nickm at torproject.org nickm at torproject.org
Fri Feb 8 13:37:50 UTC 2019


commit 8de735f0681970ff688cb5e775dae812ed27aa62
Author: Suphanat Chunhapanya <haxx.pop at gmail.com>
Date:   Tue Jan 15 12:12:31 2019 +0700

    hs-v3: fix use after free in client auth config
    
    We accidentally use `auth` after freeing it in
    client_service_authorization_free. The way to solve it is to
    free after using it.
---
 src/feature/hs/hs_client.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/feature/hs/hs_client.c b/src/feature/hs/hs_client.c
index 5fded92fe..e04f0cc0c 100644
--- a/src/feature/hs/hs_client.c
+++ b/src/feature/hs/hs_client.c
@@ -1637,17 +1637,17 @@ hs_config_client_authorization(const or_options_t *options,
        * as a key of global map in the future. */
       if (hs_parse_address(auth->onion_address, &identity_pk,
                            NULL, NULL) < 0) {
-        client_service_authorization_free(auth);
         log_warn(LD_REND, "The onion address \"%s\" is invalid in "
                           "file %s", filename, auth->onion_address);
+        client_service_authorization_free(auth);
         continue;
       }
 
       if (digest256map_get(auths, identity_pk.pubkey)) {
-        client_service_authorization_free(auth);
         log_warn(LD_REND, "Duplicate authorization for the same hidden "
                           "service address %s.",
                  safe_str_client(auth->onion_address));
+        client_service_authorization_free(auth);
         goto end;
       }
 





More information about the tor-commits mailing list