Add a magic value to cpath_layer_t to make sure that we can tell valid cpaths from freed ones. I audited this once; it could use another audit.

svn:r3831

5 files changed, 11 insertions, 0 deletions

diff --git a/src/or/circuitbuild.c b/src/or/circuitbuild.c
index 67babbb87a..37073f8b8b 100644
--- a/src/or/circuitbuild.c
+++ b/src/or/circuitbuild.c
@@ -739,6 +739,7 @@ int onionskin_answer(circuit_t *circ, unsigned char *payload, unsigned char *key
   crypt_path_t *tmp_cpath;
 
   tmp_cpath = tor_malloc_zero(sizeof(crypt_path_t));
+  tmp_cpath->magic = CRYPT_PATH_MAGIC;
 
   memset(&cell, 0, sizeof(cell_t));
   cell.command = CELL_CREATED;
@@ -761,6 +762,7 @@ int onionskin_answer(circuit_t *circ, unsigned char *payload, unsigned char *key
   circ->n_crypto = tmp_cpath->f_crypto;
   circ->p_digest = tmp_cpath->b_digest;
   circ->p_crypto = tmp_cpath->b_crypto;
+  tmp_cpath->magic = 0;
   tor_free(tmp_cpath);
 
   memcpy(circ->handshake_digest, cell.payload+DH_KEY_LEN, DIGEST_LEN);
@@ -1415,6 +1417,7 @@ onion_append_hop(crypt_path_t **head_ptr, routerinfo_t *choice) {
   /* link hop into the cpath, at the end. */
   onion_append_to_cpath(head_ptr, hop);
 
+  hop->magic = CRYPT_PATH_MAGIC;
   hop->state = CPATH_STATE_CLOSED;
 
   hop->port = choice->or_port;
diff --git a/src/or/circuitlist.c b/src/or/circuitlist.c
index f4add06090..22ad5c9272 100644
--- a/src/or/circuitlist.c
+++ b/src/or/circuitlist.c
@@ -181,6 +181,7 @@ circuit_free_cpath_node(crypt_path_t *victim) {
     crypto_free_digest_env(victim->b_digest);
   if (victim->handshake_state)
     crypto_dh_free(victim->handshake_state);
+  victim->magic = 0xDEADBEEFu;
   tor_free(victim);
 }
 
@@ -456,6 +457,8 @@ void assert_cpath_layer_ok(const crypt_path_t *cp)
 {
 //  tor_assert(cp->addr); /* these are zero for rendezvous extra-hops */
 //  tor_assert(cp->port);
+  tor_assert(cp);
+  tor_assert(cp->magic == CRYPT_PATH_MAGIC);
   switch (cp->state)
     {
     case CPATH_STATE_OPEN:
diff --git a/src/or/or.h b/src/or/or.h
index 92d3de3433..70a31794ac 100644
--- a/src/or/or.h
+++ b/src/or/or.h
@@ -707,9 +707,12 @@ typedef struct {
   char *signing_router;
 } routerlist_t;
 
+#define CRYPT_PATH_MAGIC 0x70127012u
+
 /** Holds accounting information for a single step in the layered encryption
  * performed by a circuit.  Used only at the client edge of a circuit. */
 struct crypt_path_t {
+  uint32_t magic;
 
   /* crypto environments */
   /** Encryption key and counter for cells heading towards the OR at this
diff --git a/src/or/rendclient.c b/src/or/rendclient.c
index 612d3f6b23..9fc6607533 100644
--- a/src/or/rendclient.c
+++ b/src/or/rendclient.c
@@ -82,6 +82,7 @@ rend_client_send_introduction(circuit_t *introcirc, circuit_t *rendcirc) {
   if (!cpath) {
     cpath = rendcirc->build_state->pending_final_cpath =
       tor_malloc_zero(sizeof(crypt_path_t));
+    cpath->magic = CRYPT_PATH_MAGIC;
     if (!(cpath->handshake_state = crypto_dh_new())) {
       log_fn(LOG_WARN, "Couldn't allocate DH");
       goto err;
diff --git a/src/or/rendservice.c b/src/or/rendservice.c
index 28fac1ddd3..d9f637c396 100644
--- a/src/or/rendservice.c
+++ b/src/or/rendservice.c
@@ -508,6 +508,7 @@ rend_service_introduce(circuit_t *circuit, const char *request, size_t request_l
           sizeof(launched->rend_query));
   launched->build_state->pending_final_cpath = cpath =
     tor_malloc_zero(sizeof(crypt_path_t));
+  cpath->magic = CRYPT_PATH_MAGIC;
   launched->build_state->expiry_time = time(NULL) + MAX_REND_TIMEOUT;
 
   cpath->handshake_state = dh;