aboutsummaryrefslogtreecommitdiff
path: root/src/core
diff options
context:
space:
mode:
authorDavid Goulet <dgoulet@torproject.org>2021-03-23 09:19:41 -0400
committerDavid Goulet <dgoulet@torproject.org>2021-03-23 09:19:41 -0400
commit9ca2394d6b51242bb5cf380757be5869d2a44c3c (patch)
tree9e941698035b90bd0775f1cfbd341178f6a31b6e /src/core
parent94fb308c5d0f0d76b46b25d5f7c584f2b5a900c3 (diff)
downloadtor-9ca2394d6b51242bb5cf380757be5869d2a44c3c.tar.gz
tor-9ca2394d6b51242bb5cf380757be5869d2a44c3c.zip
channel: Fix use after free in channel_do_open_actions()
Fortunately, our tor_free() is setting the variable to NULL after so we were in a situation where NULL was always used instead of the transport name. This first appeared in 894ff2dc8422cb86312c512698acd76476224f87 and results in basically no bridge with a transport being able to use DoS defenses. Fixes #40345 Signed-off-by: David Goulet <dgoulet@torproject.org>
Diffstat (limited to 'src/core')
-rw-r--r--src/core/or/channel.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/src/core/or/channel.c b/src/core/or/channel.c
index 9194718e3d..50c03de846 100644
--- a/src/core/or/channel.c
+++ b/src/core/or/channel.c
@@ -1887,11 +1887,11 @@ channel_do_open_actions(channel_t *chan)
geoip_note_client_seen(GEOIP_CLIENT_CONNECT,
&remote_addr, transport_name,
now);
- tor_free(transport_name);
/* Notify the DoS subsystem of a new client. */
if (tlschan && tlschan->conn) {
dos_new_client_conn(tlschan->conn, transport_name);
}
+ tor_free(transport_name);
}
/* Otherwise the underlying transport can't tell us this, so skip it */
}