Avoid use-after-free of circ belonging to cancelled job

This fixes a bug where we decide to free the circuit because it isn't on any workqueue anymore, and then the job finishes and the circuit gets freed again. Fixes bug #14815, not in any released version of Tor.
author: Sebastian Hahn <sebastian@torproject.org> 2015-02-09 16:04:51 +0100
committer: Sebastian Hahn <sebastian@torproject.org> 2015-02-09 16:12:47 +0100
commit: 733751009058a8ff140c15ddd8b022da6a77afdd (patch)
tree: 7b750594dd2143cb1f57aa6939f11743e20cfbad /src/or/cpuworker.c
parent: 37d16c3cc78151daf2cbebd643ea4d64b504989e (diff)
download: tor-733751009058a8ff140c15ddd8b022da6a77afdd.tar.gz
tor-733751009058a8ff140c15ddd8b022da6a77afdd.zip
1 files changed, 1 insertions, 2 deletions
diff --git a/src/or/cpuworker.c b/src/or/cpuworker.c
index 5e8b32d780..7fe2351979 100644
--- a/src/or/cpuworker.c
+++ b/src/or/cpuworker.c
@@ -556,8 +556,7 @@ cpuworker_cancel_circ_handshake(or_circuit_t *circ)
     tor_free(job);
     tor_assert(total_pending_tasks > 0);
     --total_pending_tasks;
+    circ->workqueue_entry = NULL;
   }
-
-  circ->workqueue_entry = NULL;
 }
author	Sebastian Hahn <sebastian@torproject.org>	2015-02-09 16:04:51 +0100
committer	Sebastian Hahn <sebastian@torproject.org>	2015-02-09 16:12:47 +0100
commit	733751009058a8ff140c15ddd8b022da6a77afdd (patch)
tree	7b750594dd2143cb1f57aa6939f11743e20cfbad /src/or/cpuworker.c
parent	37d16c3cc78151daf2cbebd643ea4d64b504989e (diff)
download	tor-733751009058a8ff140c15ddd8b022da6a77afdd.tar.gz tor-733751009058a8ff140c15ddd8b022da6a77afdd.zip