From 2e0a50abf415297a3e0e10c4147f738d3458c373 Mon Sep 17 00:00:00 2001
From: Isis Lovecruft <isis@torproject.org>
Date: Sun, 16 Aug 2015 00:49:03 +0000
Subject: [PATCH] Remove redundant tor_free()  in
 command_process_create_cell().

 * FIXES #16823: https://bugs.torproject.org/16823
   If an OP were to send a CREATE_FAST cell to an OR, and that
   CREATE_FAST cell had unparseable key material, then tor_free() would
   be called on the create cell twice.  This fix removes the second
   (conditional on the key material being bad) call to tor_free(), so
   that now the create cell is always freed once, regardless of the status of
   the key material.

   (This isn't actually a double-free bug, since tor_free() sets its
   input to NULL, and has no effect when called with input NULL.)
---
 src/or/command.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/src/or/command.c b/src/or/command.c
index 719b10736b..af6e0533d8 100644
--- a/src/or/command.c
+++ b/src/or/command.c
@@ -340,7 +340,6 @@ command_process_create_cell(cell_t *cell, channel_t *chan)
     if (len < 0) {
       log_warn(LD_OR,"Failed to generate key material. Closing.");
       circuit_mark_for_close(TO_CIRCUIT(circ), END_CIRC_REASON_INTERNAL);
-      tor_free(create_cell);
       return;
     }
     created_cell.cell_type = CELL_CREATED_FAST;