Avoid use-after-free of circ belonging to cancelled job

This fixes a bug where we decide to free the circuit because it isn't on
any workqueue anymore, and then the job finishes and the circuit gets
freed again.

Fixes bug #14815, not in any released version of Tor.
This commit is contained in:
Sebastian Hahn 2015-02-09 16:04:51 +01:00
parent 37d16c3cc7
commit 7337510090

View File

@ -556,8 +556,7 @@ cpuworker_cancel_circ_handshake(or_circuit_t *circ)
tor_free(job);
tor_assert(total_pending_tasks > 0);
--total_pending_tasks;
circ->workqueue_entry = NULL;
}
circ->workqueue_entry = NULL;
}