diff options
| author | Nick Mathewson <nickm@torproject.org> | 2015-10-21 09:59:19 -0400 |
|---|---|---|
| committer | Nick Mathewson <nickm@torproject.org> | 2015-10-21 09:59:19 -0400 |
| commit | 5b2070198a9fa7d19f50ba165dc6ff274ffe073a (patch) | |
| tree | 9aa530214961a4b786c8f3a4adb291f2c1a7abeb | |
| parent | 542cc8a5fff7b566cb44185e1fb6aae8ff469a16 (diff) | |
| download | tor-5b2070198a9fa7d19f50ba165dc6ff274ffe073a.tar.gz tor-5b2070198a9fa7d19f50ba165dc6ff274ffe073a.zip | |
Fix a use-after-free in validate_intro_point_failure. Bug 17401. Found w valgrind
| -rw-r--r-- | changes/bug17401 | 3 | ||||
| -rw-r--r-- | src/or/rendcache.c | 3 |
2 files changed, 5 insertions, 1 deletions
diff --git a/changes/bug17401 b/changes/bug17401 new file mode 100644 index 0000000000..a22f79c431 --- /dev/null +++ b/changes/bug17401 @@ -0,0 +1,3 @@ + o Major bugfixes (correctness): + - Fix a use-after-free bug in validate_intro_point_failure(). + Fixes bug 17401; bugfix on 0.2.7.3-rc. diff --git a/src/or/rendcache.c b/src/or/rendcache.c index 542d322c79..df4f517807 100644 --- a/src/or/rendcache.c +++ b/src/or/rendcache.c @@ -400,9 +400,10 @@ validate_intro_point_failure(const rend_service_descriptor_t *desc, /* This intro point is in our cache, discard it from the descriptor * because chances are that it's unusable. */ SMARTLIST_DEL_CURRENT(desc->intro_nodes, intro); - rend_intro_point_free(intro); /* Keep it for our new entry. */ digestmap_set(new_entry->intro_failures, (char *) identity, ent_dup); + /* Only free it when we're done looking at it. */ + rend_intro_point_free(intro); continue; } } SMARTLIST_FOREACH_END(intro); |