diff options
author | Nick Mathewson <nickm@torproject.org> | 2015-10-21 11:06:47 -0400 |
---|---|---|
committer | Nick Mathewson <nickm@torproject.org> | 2015-10-21 11:06:47 -0400 |
commit | ff174995f07747628ad1e71fd344fc27e88a70ed (patch) | |
tree | 2365d9cededb660dbd2e33ac332c766a433860d0 | |
parent | fbaee1bf406f1755324d7503484f5a121a229d52 (diff) | |
parent | 5d45a26f39816c17459a3c71617cddcd3d19cea6 (diff) | |
download | tor-ff174995f07747628ad1e71fd344fc27e88a70ed.tar.gz tor-ff174995f07747628ad1e71fd344fc27e88a70ed.zip |
Merge branch 'maint-0.2.7' into release-0.2.7
-rw-r--r-- | changes/bug17398 | 3 | ||||
-rw-r--r-- | changes/bug17401 | 3 | ||||
-rw-r--r-- | changes/bug17402 | 3 | ||||
-rw-r--r-- | src/common/crypto_ed25519.c | 1 | ||||
-rw-r--r-- | src/or/rendcache.c | 24 |
5 files changed, 26 insertions, 8 deletions
diff --git a/changes/bug17398 b/changes/bug17398 new file mode 100644 index 0000000000..66e27a6966 --- /dev/null +++ b/changes/bug17398 @@ -0,0 +1,3 @@ + o Minor bugfixes (memory leaks): + - Fix a memory leak in ed25519 batch signature checking. + Fixes bug 17398; bugfix on 0.2.6.1-alpha. diff --git a/changes/bug17401 b/changes/bug17401 new file mode 100644 index 0000000000..a22f79c431 --- /dev/null +++ b/changes/bug17401 @@ -0,0 +1,3 @@ + o Major bugfixes (correctness): + - Fix a use-after-free bug in validate_intro_point_failure(). + Fixes bug 17401; bugfix on 0.2.7.3-rc. diff --git a/changes/bug17402 b/changes/bug17402 new file mode 100644 index 0000000000..4760e00b04 --- /dev/null +++ b/changes/bug17402 @@ -0,0 +1,3 @@ + o Major bugfixes (memory leak): + - Fix a memory leak in rend_cache_failure_entry_free(). + Fixes bug 17402; bugfix on 0.2.7.3-rc. diff --git a/src/common/crypto_ed25519.c b/src/common/crypto_ed25519.c index 7e995f4616..1749efc34c 100644 --- a/src/common/crypto_ed25519.c +++ b/src/common/crypto_ed25519.c @@ -260,6 +260,7 @@ ed25519_checksig_batch(int *okay_out, tor_free(ms); tor_free(lens); tor_free(pks); + tor_free(sigs); if (! okay_out) tor_free(oks); } diff --git a/src/or/rendcache.c b/src/or/rendcache.c index 542d322c79..d4bdd68698 100644 --- a/src/or/rendcache.c +++ b/src/or/rendcache.c @@ -122,6 +122,12 @@ rend_cache_failure_intro_entry_free(rend_cache_failure_intro_t *entry) tor_free(entry); } +static void +rend_cache_failure_intro_entry_free_(void *entry) +{ + rend_cache_failure_intro_entry_free(entry); +} + /** Allocate a rend cache failure intro object and return it. <b>failure</b> * is set into the object. This function can not fail. */ static rend_cache_failure_intro_t * @@ -142,11 +148,9 @@ rend_cache_failure_entry_free(rend_cache_failure_t *entry) } /* Free and remove every intro failure object. */ - DIGESTMAP_FOREACH_MODIFY(entry->intro_failures, key, - rend_cache_failure_intro_t *, e) { - rend_cache_failure_intro_entry_free(e); - MAP_DEL_CURRENT(key); - } DIGESTMAP_FOREACH_END; + digestmap_free(entry->intro_failures, + rend_cache_failure_intro_entry_free_); + tor_free(entry); } @@ -353,7 +357,7 @@ cache_failure_intro_add(const uint8_t *identity, const char *service_id, rend_intro_point_failure_t failure) { rend_cache_failure_t *fail_entry; - rend_cache_failure_intro_t *entry; + rend_cache_failure_intro_t *entry, *old_entry; /* Make sure we have a failure object for this service ID and if not, * create it with this new intro failure entry. */ @@ -364,7 +368,10 @@ cache_failure_intro_add(const uint8_t *identity, const char *service_id, strmap_set_lc(rend_cache_failure, service_id, fail_entry); } entry = rend_cache_failure_intro_entry_new(failure); - digestmap_set(fail_entry->intro_failures, (char *) identity, entry); + old_entry = digestmap_set(fail_entry->intro_failures, + (char *) identity, entry); + /* This _should_ be NULL, but in case it isn't, free it. */ + rend_cache_failure_intro_entry_free(old_entry); } /** Using a parsed descriptor <b>desc</b>, check if the introduction points @@ -400,9 +407,10 @@ validate_intro_point_failure(const rend_service_descriptor_t *desc, /* This intro point is in our cache, discard it from the descriptor * because chances are that it's unusable. */ SMARTLIST_DEL_CURRENT(desc->intro_nodes, intro); - rend_intro_point_free(intro); /* Keep it for our new entry. */ digestmap_set(new_entry->intro_failures, (char *) identity, ent_dup); + /* Only free it when we're done looking at it. */ + rend_intro_point_free(intro); continue; } } SMARTLIST_FOREACH_END(intro); |