Bug 40897: Add more checks to free paths

Similar double-frees would be caught earlier by these, so long as the pointers
remain nulled out.

2 files changed, 9 insertions, 0 deletions

diff --git a/src/core/or/conflux.c b/src/core/or/conflux.c
index 0a2806b1dc..677df95067 100644
--- a/src/core/or/conflux.c
+++ b/src/core/or/conflux.c
@@ -115,6 +115,8 @@ conflux_leg_t *
 conflux_get_leg(conflux_t *cfx, const circuit_t *circ)
 {
   conflux_leg_t *leg_found = NULL;
+  tor_assert(cfx);
+  tor_assert(cfx->legs);
 
   // Find the leg that the cell is written on
   CONFLUX_FOR_EACH_LEG_BEGIN(cfx, leg) {
diff --git a/src/core/or/conflux_pool.c b/src/core/or/conflux_pool.c
index a9bd970aa1..5a677fb9aa 100644
--- a/src/core/or/conflux_pool.c
+++ b/src/core/or/conflux_pool.c
@@ -187,6 +187,8 @@ conflux_free_(conflux_t *cfx)
   if (!cfx) {
     return;
   }
+  tor_assert(cfx->legs);
+  tor_assert(cfx->ooo_q);
 
   SMARTLIST_FOREACH_BEGIN(cfx->legs, conflux_leg_t *, leg) {
     SMARTLIST_DEL_CURRENT(cfx->legs, leg);
@@ -260,6 +262,8 @@ unlinked_free(unlinked_circuits_t *unlinked)
   if (!unlinked) {
     return;
   }
+  tor_assert(unlinked->legs);
+
   /* This cfx is pointing to a linked set. */
   if (!unlinked->is_for_linked_set) {
     conflux_free(unlinked->cfx);
@@ -1611,6 +1615,9 @@ linked_circuit_free(circuit_t *circ, bool is_client)
 {
   tor_assert(circ);
   tor_assert(circ->conflux);
+  tor_assert(circ->conflux->legs);
+  tor_assert(circ->conflux->ooo_q);
+
   if (is_client) {
     tor_assert(circ->purpose == CIRCUIT_PURPOSE_CONFLUX_LINKED);
   }