Merge branch 'maint-0.2.7' into release-0.2.7

5 files changed, 26 insertions, 8 deletions

diff --git a/changes/bug17398 b/changes/bug17398
new file mode 100644
index 0000000000..66e27a6966
--- /dev/null
+++ b/changes/bug17398
@@ -0,0 +1,3 @@
+  o Minor bugfixes (memory leaks):
+    - Fix a memory leak in ed25519 batch signature checking.
+      Fixes bug 17398; bugfix on 0.2.6.1-alpha.
diff --git a/changes/bug17401 b/changes/bug17401
new file mode 100644
index 0000000000..a22f79c431
--- /dev/null
+++ b/changes/bug17401
@@ -0,0 +1,3 @@
+  o Major bugfixes (correctness):
+    - Fix a use-after-free bug in validate_intro_point_failure().
+      Fixes bug 17401; bugfix on 0.2.7.3-rc.
diff --git a/changes/bug17402 b/changes/bug17402
new file mode 100644
index 0000000000..4760e00b04
--- /dev/null
+++ b/changes/bug17402
@@ -0,0 +1,3 @@
+  o Major bugfixes (memory leak):
+    - Fix a memory leak in rend_cache_failure_entry_free().
+      Fixes bug 17402; bugfix on 0.2.7.3-rc.
diff --git a/src/common/crypto_ed25519.c b/src/common/crypto_ed25519.c
index 7e995f4616..1749efc34c 100644
--- a/src/common/crypto_ed25519.c
+++ b/src/common/crypto_ed25519.c
@@ -260,6 +260,7 @@ ed25519_checksig_batch(int *okay_out,
     tor_free(ms);
     tor_free(lens);
     tor_free(pks);
+    tor_free(sigs);
     if (! okay_out)
       tor_free(oks);
   }
diff --git a/src/or/rendcache.c b/src/or/rendcache.c
index 542d322c79..d4bdd68698 100644
--- a/src/or/rendcache.c
+++ b/src/or/rendcache.c
@@ -122,6 +122,12 @@ rend_cache_failure_intro_entry_free(rend_cache_failure_intro_t *entry)
   tor_free(entry);
 }
 
+static void
+rend_cache_failure_intro_entry_free_(void *entry)
+{
+  rend_cache_failure_intro_entry_free(entry);
+}
+
 /** Allocate a rend cache failure intro object and return it. <b>failure</b>
  * is set into the object. This function can not fail. */
 static rend_cache_failure_intro_t *
@@ -142,11 +148,9 @@ rend_cache_failure_entry_free(rend_cache_failure_t *entry)
   }
 
   /* Free and remove every intro failure object. */
-  DIGESTMAP_FOREACH_MODIFY(entry->intro_failures, key,
-                           rend_cache_failure_intro_t *, e) {
-    rend_cache_failure_intro_entry_free(e);
-    MAP_DEL_CURRENT(key);
-  } DIGESTMAP_FOREACH_END;
+  digestmap_free(entry->intro_failures,
+                 rend_cache_failure_intro_entry_free_);
+
   tor_free(entry);
 }
 
@@ -353,7 +357,7 @@ cache_failure_intro_add(const uint8_t *identity, const char *service_id,
                         rend_intro_point_failure_t failure)
 {
   rend_cache_failure_t *fail_entry;
-  rend_cache_failure_intro_t *entry;
+  rend_cache_failure_intro_t *entry, *old_entry;
 
   /* Make sure we have a failure object for this service ID and if not,
    * create it with this new intro failure entry. */
@@ -364,7 +368,10 @@ cache_failure_intro_add(const uint8_t *identity, const char *service_id,
     strmap_set_lc(rend_cache_failure, service_id, fail_entry);
   }
   entry = rend_cache_failure_intro_entry_new(failure);
-  digestmap_set(fail_entry->intro_failures, (char *) identity, entry);
+  old_entry = digestmap_set(fail_entry->intro_failures,
+                            (char *) identity, entry);
+  /* This _should_ be NULL, but in case it isn't, free it. */
+  rend_cache_failure_intro_entry_free(old_entry);
 }
 
 /** Using a parsed descriptor <b>desc</b>, check if the introduction points
@@ -400,9 +407,10 @@ validate_intro_point_failure(const rend_service_descriptor_t *desc,
       /* This intro point is in our cache, discard it from the descriptor
        * because chances are that it's unusable. */
       SMARTLIST_DEL_CURRENT(desc->intro_nodes, intro);
-      rend_intro_point_free(intro);
       /* Keep it for our new entry. */
       digestmap_set(new_entry->intro_failures, (char *) identity, ent_dup);
+      /* Only free it when we're done looking at it. */
+      rend_intro_point_free(intro);
       continue;
     }
   } SMARTLIST_FOREACH_END(intro);