3 files changed, 9 insertions, 4 deletions

diff --git a/changes/md_leak_bug b/changes/md_leak_bug
new file mode 100644
index 0000000000..26270aacc3
--- /dev/null
+++ b/changes/md_leak_bug
@@ -0,0 +1,5 @@
+  o Major bugfixes (security, OOM)
+    - Fix a memory leak that could occur if a microdescriptor parse
+      fails during the tokenizing step. This could enable a memory
+      exhaustion attack by directory servers. Fixes bug #11649; bugfix
+      on 0.2.2.6-alpha.
diff --git a/src/or/routerlist.c b/src/or/routerlist.c
index a7968beca2..9e59c332a1 100644
--- a/src/or/routerlist.c
+++ b/src/or/routerlist.c
@@ -460,10 +460,8 @@ authority_cert_dl_failed(const char *id_digest, int status)
 
 static const char *BAD_SIGNING_KEYS[] = {
   "09CD84F751FD6E955E0F8ADB497D5401470D697E", // Expires 2015-01-11 16:26:31
-// dizum still needs to rotate as of 2014-04-14
-//"0E7E9C07F0969D0468AD741E172A6109DC289F3C", // Expires 2014-08-12 10:18:26
-// dannenberg still needs to rotate as of 2014-04-14
-//"57B85409891D3FB32137F642FDEDF8B7F8CDFDCD", // Expires 2015-02-11 17:19:09
+  "0E7E9C07F0969D0468AD741E172A6109DC289F3C", // Expires 2014-08-12 10:18:26
+  "57B85409891D3FB32137F642FDEDF8B7F8CDFDCD", // Expires 2015-02-11 17:19:09
   "87326329007AF781F587AF5B594E540B2B6C7630", // Expires 2014-07-17 11:10:09
   "98CC82342DE8D298CF99D3F1A396475901E0D38E", // Expires 2014-11-10 13:18:56
   "9904B52336713A5ADCB13E4FB14DC919E0D45571", // Expires 2014-04-20 20:01:01
diff --git a/src/or/routerparse.c b/src/or/routerparse.c
index 97e0bc8c85..3ff887c3ca 100644
--- a/src/or/routerparse.c
+++ b/src/or/routerparse.c
@@ -4455,11 +4455,13 @@ microdescs_parse_from_string(const char *s, const char *eos,
     microdesc_free(md);
     md = NULL;
 
+    SMARTLIST_FOREACH(tokens, directory_token_t *, t, token_clear(t));
     memarea_clear(area);
     smartlist_clear(tokens);
     s = start_of_next_microdesc;
   }
 
+  SMARTLIST_FOREACH(tokens, directory_token_t *, t, token_clear(t));
   memarea_drop_all(area);
   smartlist_free(tokens);