Fix a use-after-free in validate_intro_point_failure. Bug 17401. Found w valgrind

2024-11-10 13:13:44 +01:00 · 2015-10-21 09:59:19 -04:00 · 2015-10-21 09:59:19 -04:00 · 5b2070198a
commit 5b2070198a
parent 542cc8a5ff
2 changed files with 5 additions and 1 deletions
--- a/changes/bug17401
+++ b/changes/bug17401
@ -0,0 +1,3 @@
+  o Major bugfixes (correctness):
+    - Fix a use-after-free bug in validate_intro_point_failure().
+      Fixes bug 17401; bugfix on 0.2.7.3-rc.
--- a/src/or/rendcache.c
+++ b/src/or/rendcache.c
@ -400,9 +400,10 @@ validate_intro_point_failure(const rend_service_descriptor_t *desc,
      /* This intro point is in our cache, discard it from the descriptor
       * because chances are that it's unusable. */
      SMARTLIST_DEL_CURRENT(desc->intro_nodes, intro);
-      rend_intro_point_free(intro);
      /* Keep it for our new entry. */
      digestmap_set(new_entry->intro_failures, (char *) identity, ent_dup);
+      /* Only free it when we're done looking at it. */
+      rend_intro_point_free(intro);
      continue;
    }
  } SMARTLIST_FOREACH_END(intro);