From 57822cbbbe85410785716fa62667b674b35602df Mon Sep 17 00:00:00 2001
From: Nick Mathewson <nickm@torproject.org>
Date: Thu, 7 Jul 2011 11:00:21 -0400
Subject: [PATCH] Avoid double-free in bufferevent read/write cbs

Fixes bug 3404; bugfix on 0.2.3.1-alpha.
---
 changes/bug3404     | 3 +++
 src/or/connection.c | 9 ++++++---
 2 files changed, 9 insertions(+), 3 deletions(-)
 create mode 100644 changes/bug3404

diff --git a/changes/bug3404 b/changes/bug3404
new file mode 100644
index 0000000000..4e2e21bc02
--- /dev/null
+++ b/changes/bug3404
@@ -0,0 +1,3 @@
+  o Minor bugfixes:
+    - Fix a class of double-mark-for-close bugs when bufferevents
+      are enabled. Fixes bug 3404; bugfix on 0.2.3.1-alpha.
diff --git a/src/or/connection.c b/src/or/connection.c
index e8969e09fc..c84ee04d54 100644
--- a/src/or/connection.c
+++ b/src/or/connection.c
@@ -2957,9 +2957,11 @@ connection_handle_read_cb(struct bufferevent *bufev, void *arg)
 {
   connection_t *conn = arg;
   (void) bufev;
-  if (!conn->marked_for_close)
+  if (!conn->marked_for_close) {
     if (connection_process_inbuf(conn, 1)<0) /* XXXX Always 1? */
-      connection_mark_for_close(conn);
+      if (!conn->marked_for_close)
+        connection_mark_for_close(conn);
+  }
 }
 
 /** Callback: invoked whenever a bufferevent has written data. */
@@ -2969,7 +2971,8 @@ connection_handle_write_cb(struct bufferevent *bufev, void *arg)
   connection_t *conn = arg;
   struct evbuffer *output;
   if (connection_flushed_some(conn)<0) {
-    connection_mark_for_close(conn);
+    if (!conn->marked_for_close)
+      connection_mark_for_close(conn);
     return;
   }