From 5b2070198a9fa7d19f50ba165dc6ff274ffe073a Mon Sep 17 00:00:00 2001
From: Nick Mathewson <nickm@torproject.org>
Date: Wed, 21 Oct 2015 09:59:19 -0400
Subject: Fix a use-after-free in validate_intro_point_failure. Bug 17401.
 Found w valgrind

---
 changes/bug17401   | 3 +++
 src/or/rendcache.c | 3 ++-
 2 files changed, 5 insertions(+), 1 deletion(-)
 create mode 100644 changes/bug17401

diff --git a/changes/bug17401 b/changes/bug17401
new file mode 100644
index 0000000000..a22f79c431
--- /dev/null
+++ b/changes/bug17401
@@ -0,0 +1,3 @@
+  o Major bugfixes (correctness):
+    - Fix a use-after-free bug in validate_intro_point_failure().
+      Fixes bug 17401; bugfix on 0.2.7.3-rc.
diff --git a/src/or/rendcache.c b/src/or/rendcache.c
index 542d322c79..df4f517807 100644
--- a/src/or/rendcache.c
+++ b/src/or/rendcache.c
@@ -400,9 +400,10 @@ validate_intro_point_failure(const rend_service_descriptor_t *desc,
       /* This intro point is in our cache, discard it from the descriptor
        * because chances are that it's unusable. */
       SMARTLIST_DEL_CURRENT(desc->intro_nodes, intro);
-      rend_intro_point_free(intro);
       /* Keep it for our new entry. */
       digestmap_set(new_entry->intro_failures, (char *) identity, ent_dup);
+      /* Only free it when we're done looking at it. */
+      rend_intro_point_free(intro);
       continue;
     }
   } SMARTLIST_FOREACH_END(intro);
-- 
cgit v1.2.3-54-g00ecf