From 9ca2394d6b51242bb5cf380757be5869d2a44c3c Mon Sep 17 00:00:00 2001
From: David Goulet <dgoulet@torproject.org>
Date: Tue, 23 Mar 2021 09:19:41 -0400
Subject: channel: Fix use after free in channel_do_open_actions()

Fortunately, our tor_free() is setting the variable to NULL after so we were
in a situation where NULL was always used instead of the transport name.

This first appeared in 894ff2dc8422cb86312c512698acd76476224f87 and results in
basically no bridge with a transport being able to use DoS defenses.

Fixes #40345

Signed-off-by: David Goulet <dgoulet@torproject.org>
---
 src/core/or/channel.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'src')

diff --git a/src/core/or/channel.c b/src/core/or/channel.c
index 9194718e3d..50c03de846 100644
--- a/src/core/or/channel.c
+++ b/src/core/or/channel.c
@@ -1887,11 +1887,11 @@ channel_do_open_actions(channel_t *chan)
         geoip_note_client_seen(GEOIP_CLIENT_CONNECT,
                                &remote_addr, transport_name,
                                now);
-        tor_free(transport_name);
         /* Notify the DoS subsystem of a new client. */
         if (tlschan && tlschan->conn) {
           dos_new_client_conn(tlschan->conn, transport_name);
         }
+        tor_free(transport_name);
       }
       /* Otherwise the underlying transport can't tell us this, so skip it */
     }
-- 
cgit v1.2.3-54-g00ecf