router: Fix memory leak in signed_descriptor_move()

The signed_descriptor_move() was not releasing memory inside the destination
object before overwriting it with the source object. This commit adds a reset
function that free that memory inside a signed descriptor object and zero it.

Closes #20715.

Signed-off-by: David Goulet <dgoulet@torproject.org>

2 files changed, 17 insertions, 0 deletions

diff --git a/changes/bug20715 b/changes/bug20715
new file mode 100644
index 0000000000..737a560cec
--- /dev/null
+++ b/changes/bug20715
@@ -0,0 +1,4 @@
+  o Minor bugfixes (memory leak)
+    - When moving a signed descriptor object from a source to an existing
+      destination, free the allocated memory inside that destination object.
+      Bugfix on tor-0.2.8.3-alpha; Closes #20715.
diff --git a/src/or/routerlist.c b/src/or/routerlist.c
index 56c0522cdc..b876795445 100644
--- a/src/or/routerlist.c
+++ b/src/or/routerlist.c
@@ -3235,6 +3235,17 @@ signed_descriptor_free(signed_descriptor_t *sd)
   tor_free(sd);
 }
 
+/** Reset the given signed descriptor <b>sd</b> by freeing the allocated
+ * memory inside the object and by zeroing its content. */
+static void
+signed_descriptor_reset(signed_descriptor_t *sd)
+{
+  tor_assert(sd);
+  tor_free(sd->signed_descriptor_body);
+  tor_cert_free(sd->signing_key_cert);
+  memset(sd, 0, sizeof(*sd));
+}
+
 /** Copy src into dest, and steal all references inside src so that when
  * we free src, we don't mess up dest. */
 static void
@@ -3242,6 +3253,8 @@ signed_descriptor_move(signed_descriptor_t *dest,
                        signed_descriptor_t *src)
 {
   tor_assert(dest != src);
+  /* Cleanup destination object before overwriting it.*/
+  signed_descriptor_reset(dest);
   memcpy(dest, src, sizeof(signed_descriptor_t));
   src->signed_descriptor_body = NULL;
   src->signing_key_cert = NULL;