Merge branch 'bug4343'

changes/bug4343

@@ -0,0 +1,5 @@
+  o Major bugfixes:
+    - Fix a double-free bug that would occur when we received an invalid
+      certificate in a CERT cell in the new v3 handshake. Fixes bug 4343;
+      bugfix on 0.2.3.6-alpha.
+

src/common/tortls.c

@@ -694,7 +694,7 @@ tor_cert_free(tor_cert_t *cert)
   if (cert->cert)
     X509_free(cert->cert);
   tor_free(cert->encoded);
-  memset(cert, 0x03, sizeof(cert));
+  memset(cert, 0x03, sizeof(*cert));
   tor_free(cert);
 }
 

src/or/command.c

@@ -1026,8 +1026,6 @@ command_process_cert_cell(var_cell_t *cell, or_connection_t *conn)
       ERR("The certs we wanted were missing");
 
     /* Remember these certificates so we can check an AUTHENTICATE cell */
-    conn->handshake_state->id_cert = id_cert;
-    conn->handshake_state->auth_cert = auth_cert;
     if (! tor_tls_cert_is_valid(auth_cert, id_cert, 1))
       ERR("The authentication certificate was not valid");
     if (! tor_tls_cert_is_valid(id_cert, id_cert, 1))
@@ -1038,6 +1036,8 @@ command_process_cert_cell(var_cell_t *cell, or_connection_t *conn)
              safe_str(conn->_base.address), conn->_base.port);
     /* XXXX check more stuff? */
 
+    conn->handshake_state->id_cert = id_cert;
+    conn->handshake_state->auth_cert = auth_cert;
     id_cert = auth_cert = NULL;
   }
 
@@ -1141,7 +1141,7 @@ command_process_authenticate_cell(var_cell_t *cell, or_connection_t *conn)
 #define ERR(s)                                                  \
   do {                                                          \
     log_fn(LOG_PROTOCOL_WARN, LD_PROTOCOL,                      \
-           "Received a bad AUTHETNICATE cell from %s:%d: %s",   \
+           "Received a bad AUTHENTICATE cell from %s:%d: %s",   \
            safe_str(conn->_base.address), conn->_base.port, (s));       \
     connection_mark_for_close(TO_CONN(conn));                   \
     return;                                                     \