summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGeorge Kadianakis <desnacked@riseup.net>2019-06-05 18:19:23 +0300
committerGeorge Kadianakis <desnacked@riseup.net>2019-06-05 18:19:44 +0300
commit917e4e9eae8645e65ea93836cbd82890eb5d7872 (patch)
tree9dfdfad427da76da306882f90099f92bdeff4180
parent7f341d64828d48ebaf4bfaa2720c614a25c8dbba (diff)
downloadtor-917e4e9eae8645e65ea93836cbd82890eb5d7872.tar.gz
tor-917e4e9eae8645e65ea93836cbd82890eb5d7872.zip
Don't access rend data after a circuit has been marked for close.
This can cause issues if the circuit was repurposed into a padding circuit instead of closing, since in that case we will wipe off the rend_data.
-rw-r--r--src/feature/rend/rendclient.c13
1 files changed, 11 insertions, 2 deletions
diff --git a/src/feature/rend/rendclient.c b/src/feature/rend/rendclient.c
index f84d221b1a..5bdd4d453e 100644
--- a/src/feature/rend/rendclient.c
+++ b/src/feature/rend/rendclient.c
@@ -403,14 +403,23 @@ rend_client_introduction_acked(origin_circuit_t *circ,
} else {
log_info(LD_REND,"...Found no rend circ. Dropping on the floor.");
}
+ /* Save the rend data digest to a temporary object so that we don't access
+ * it after we mark the circuit for close. */
+ const uint8_t *rend_digest_tmp = NULL;
+ size_t digest_len;
+ uint8_t *cached_rend_digest = NULL;
+ rend_digest_tmp = rend_data_get_pk_digest(circ->rend_data, &digest_len);
+ cached_rend_digest = tor_malloc_zero(digest_len);
+ memcpy(cached_rend_digest, rend_digest_tmp, digest_len);
+
/* close the circuit: we won't need it anymore. */
circuit_change_purpose(TO_CIRCUIT(circ),
CIRCUIT_PURPOSE_C_INTRODUCE_ACKED);
circuit_mark_for_close(TO_CIRCUIT(circ), END_CIRC_REASON_FINISHED);
/* close any other intros launched in parallel */
- rend_client_close_other_intros(rend_data_get_pk_digest(circ->rend_data,
- NULL));
+ rend_client_close_other_intros(cached_rend_digest);
+ tor_free(cached_rend_digest); /* free the temporary digest */
} else {
/* It's a NAK; the introduction point didn't relay our request. */
circuit_change_purpose(TO_CIRCUIT(circ), CIRCUIT_PURPOSE_C_INTRODUCING);