diff options
| -rw-r--r-- | changes/bug24313 | 5 | ||||
| -rw-r--r-- | src/or/rendservice.c | 4 |
2 files changed, 9 insertions, 0 deletions
diff --git a/changes/bug24313 b/changes/bug24313 new file mode 100644 index 0000000000..b927ec3ba6 --- /dev/null +++ b/changes/bug24313 @@ -0,0 +1,5 @@ + o Major bugfixes (security, hidden service v2): + - Fix a use-after-free error that could crash v2 Tor hidden services + when it failed to open circuits while expiring introductions + points. Fixes bug 24313; bugfix on 0.2.7.2-alpha. This + issue is also tracked as TROVE-2017-013 and CVE-2017-8823. diff --git a/src/or/rendservice.c b/src/or/rendservice.c index 0a5b5efd54..cbf9981360 100644 --- a/src/or/rendservice.c +++ b/src/or/rendservice.c @@ -3444,6 +3444,10 @@ remove_invalid_intro_points(rend_service_t *service, log_info(LD_REND, "Expiring %s as intro point for %s.", safe_str_client(extend_info_describe(intro->extend_info)), safe_str_client(service->service_id)); + /* We might have put it in the retry list if so, undo. */ + if (retry_nodes) { + smartlist_remove(retry_nodes, intro); + } smartlist_add(service->expiring_nodes, intro); SMARTLIST_DEL_CURRENT(service->intro_nodes, intro); /* Intro point is expired, we need a new one thus don't consider it |