Merge remote-tracking branch 'rransom-tor/bug4251-022' into maint-0.2.2

2 files changed, 21 insertions, 0 deletions

diff --git a/changes/bug4251 b/changes/bug4251
new file mode 100644
index 0000000000..303c9e6364
--- /dev/null
+++ b/changes/bug4251
@@ -0,0 +1,8 @@
+  o Minor bugfixes:
+
+    - When a hidden service turns an extra service-side introduction
+      circuit into a general-purpose circuit, free the rend_data and
+      intro_key fields first, so they won't be leaked if the circuit
+      is cannibalized for use as another service-side introduction
+      circuit.  Bugfix on 0.2.1.7-alpha; fixes bug 4251.
+
diff --git a/src/or/rendservice.c b/src/or/rendservice.c
index 6ed9650fc1..0f5731912d 100644
--- a/src/or/rendservice.c
+++ b/src/or/rendservice.c
@@ -1421,7 +1421,20 @@ rend_service_intro_has_opened(origin_circuit_t *circuit)
       log_info(LD_CIRC|LD_REND, "We have just finished an introduction "
                "circuit, but we already have enough. Redefining purpose to "
                "general; leaving as internal.");
+
       TO_CIRCUIT(circuit)->purpose = CIRCUIT_PURPOSE_C_GENERAL;
+
+      {
+        rend_data_t *rend_data = circuit->rend_data;
+        circuit->rend_data = NULL;
+        rend_data_free(rend_data);
+      }
+      {
+        crypto_pk_env_t *intro_key = circuit->intro_key;
+        circuit->intro_key = NULL;
+        crypto_free_pk_env(intro_key);
+      }
+
       circuit_has_opened(circuit);
       return;
     }