summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorDavid Goulet <dgoulet@torproject.org>2017-11-21 10:16:08 -0500
committerNick Mathewson <nickm@torproject.org>2017-11-28 18:41:29 -0500
commit3030741b5d24e9ae36e6d72c6a8c7d035fde9d2a (patch)
tree967933f9b7b07717e65486ddb20686766d5c0590 /src
parent25c90230be25ec7f041501a033dcc932c3f9c83c (diff)
downloadtor-3030741b5d24e9ae36e6d72c6a8c7d035fde9d2a.tar.gz
tor-3030741b5d24e9ae36e6d72c6a8c7d035fde9d2a.zip
hs-v2: Remove any expiring intro from the retry list
TROVE-2017-13. Severity: High. In the unlikely case that a hidden service could be missing intro circuit(s), that it didn't have enough directory information to open new circuits and that an intro point was about to expire, a use-after-free is possible because of the intro point object being both in the retry list and expiring list at the same time. The intro object would get freed after the circuit failed to open and then access a second time when cleaned up from the expiring list. Fixes #24313
Diffstat (limited to 'src')
-rw-r--r--src/or/rendservice.c4
1 files changed, 4 insertions, 0 deletions
diff --git a/src/or/rendservice.c b/src/or/rendservice.c
index 0a5b5efd54..cbf9981360 100644
--- a/src/or/rendservice.c
+++ b/src/or/rendservice.c
@@ -3444,6 +3444,10 @@ remove_invalid_intro_points(rend_service_t *service,
log_info(LD_REND, "Expiring %s as intro point for %s.",
safe_str_client(extend_info_describe(intro->extend_info)),
safe_str_client(service->service_id));
+ /* We might have put it in the retry list if so, undo. */
+ if (retry_nodes) {
+ smartlist_remove(retry_nodes, intro);
+ }
smartlist_add(service->expiring_nodes, intro);
SMARTLIST_DEL_CURRENT(service->intro_nodes, intro);
/* Intro point is expired, we need a new one thus don't consider it