From 03778a0f3489994e78de70c7c5cd69f570329fab Mon Sep 17 00:00:00 2001
From: Mike Perry <mikeperry-git@torproject.org>
Date: Wed, 6 Dec 2023 18:54:59 +0000
Subject: Bug 40897: Add more checks to free paths

Similar double-frees would be caught earlier by these, so long as the pointers
remain nulled out.
---
 src/core/or/conflux.c      | 2 ++
 src/core/or/conflux_pool.c | 7 +++++++
 2 files changed, 9 insertions(+)

diff --git a/src/core/or/conflux.c b/src/core/or/conflux.c
index 0a2806b1dc..677df95067 100644
--- a/src/core/or/conflux.c
+++ b/src/core/or/conflux.c
@@ -115,6 +115,8 @@ conflux_leg_t *
 conflux_get_leg(conflux_t *cfx, const circuit_t *circ)
 {
   conflux_leg_t *leg_found = NULL;
+  tor_assert(cfx);
+  tor_assert(cfx->legs);
 
   // Find the leg that the cell is written on
   CONFLUX_FOR_EACH_LEG_BEGIN(cfx, leg) {
diff --git a/src/core/or/conflux_pool.c b/src/core/or/conflux_pool.c
index a9bd970aa1..5a677fb9aa 100644
--- a/src/core/or/conflux_pool.c
+++ b/src/core/or/conflux_pool.c
@@ -187,6 +187,8 @@ conflux_free_(conflux_t *cfx)
   if (!cfx) {
     return;
   }
+  tor_assert(cfx->legs);
+  tor_assert(cfx->ooo_q);
 
   SMARTLIST_FOREACH_BEGIN(cfx->legs, conflux_leg_t *, leg) {
     SMARTLIST_DEL_CURRENT(cfx->legs, leg);
@@ -260,6 +262,8 @@ unlinked_free(unlinked_circuits_t *unlinked)
   if (!unlinked) {
     return;
   }
+  tor_assert(unlinked->legs);
+
   /* This cfx is pointing to a linked set. */
   if (!unlinked->is_for_linked_set) {
     conflux_free(unlinked->cfx);
@@ -1611,6 +1615,9 @@ linked_circuit_free(circuit_t *circ, bool is_client)
 {
   tor_assert(circ);
   tor_assert(circ->conflux);
+  tor_assert(circ->conflux->legs);
+  tor_assert(circ->conflux->ooo_q);
+
   if (is_client) {
     tor_assert(circ->purpose == CIRCUIT_PURPOSE_CONFLUX_LINKED);
   }
-- 
cgit v1.2.3-54-g00ecf