From 5b2070198a9fa7d19f50ba165dc6ff274ffe073a Mon Sep 17 00:00:00 2001
From: Nick Mathewson <nickm@torproject.org>
Date: Wed, 21 Oct 2015 09:59:19 -0400
Subject: Fix a use-after-free in validate_intro_point_failure. Bug 17401.
 Found w valgrind

---
 src/or/rendcache.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'src')

diff --git a/src/or/rendcache.c b/src/or/rendcache.c
index 542d322c79..df4f517807 100644
--- a/src/or/rendcache.c
+++ b/src/or/rendcache.c
@@ -400,9 +400,10 @@ validate_intro_point_failure(const rend_service_descriptor_t *desc,
       /* This intro point is in our cache, discard it from the descriptor
        * because chances are that it's unusable. */
       SMARTLIST_DEL_CURRENT(desc->intro_nodes, intro);
-      rend_intro_point_free(intro);
       /* Keep it for our new entry. */
       digestmap_set(new_entry->intro_failures, (char *) identity, ent_dup);
+      /* Only free it when we're done looking at it. */
+      rend_intro_point_free(intro);
       continue;
     }
   } SMARTLIST_FOREACH_END(intro);
-- 
cgit v1.2.3-54-g00ecf