diff options
| author | Sebastian Hahn <sebastian@torproject.org> | 2015-02-09 16:04:51 +0100 |
|---|---|---|
| committer | Sebastian Hahn <sebastian@torproject.org> | 2015-02-09 16:12:47 +0100 |
| commit | 733751009058a8ff140c15ddd8b022da6a77afdd (patch) | |
| tree | 7b750594dd2143cb1f57aa6939f11743e20cfbad | |
| parent | 37d16c3cc78151daf2cbebd643ea4d64b504989e (diff) | |
| download | tor-733751009058a8ff140c15ddd8b022da6a77afdd.tar.gz tor-733751009058a8ff140c15ddd8b022da6a77afdd.zip | |
Avoid use-after-free of circ belonging to cancelled job
This fixes a bug where we decide to free the circuit because it isn't on
any workqueue anymore, and then the job finishes and the circuit gets
freed again.
Fixes bug #14815, not in any released version of Tor.
| -rw-r--r-- | src/or/cpuworker.c | 3 |
1 files changed, 1 insertions, 2 deletions
diff --git a/src/or/cpuworker.c b/src/or/cpuworker.c index 5e8b32d780..7fe2351979 100644 --- a/src/or/cpuworker.c +++ b/src/or/cpuworker.c @@ -556,8 +556,7 @@ cpuworker_cancel_circ_handshake(or_circuit_t *circ) tor_free(job); tor_assert(total_pending_tasks > 0); --total_pending_tasks; + circ->workqueue_entry = NULL; } - - circ->workqueue_entry = NULL; } |