From 98aee8472f8028260f85b69499fa892060c9534c Mon Sep 17 00:00:00 2001
From: Nick Mathewson <nickm@torproject.org>
Date: Wed, 20 Oct 2010 12:34:02 -0400
Subject: [PATCH] Fix a read of a freed pointer while in set_current_consensus

Found by rransom while working on issue #988.  Bugfix on
0.2.2.17-alpha.  Fixes bug 2097.
---
 changes/set_ns_crash   |  4 ++++
 src/or/networkstatus.c | 18 +++++++++++-------
 2 files changed, 15 insertions(+), 7 deletions(-)
 create mode 100644 changes/set_ns_crash

diff --git a/changes/set_ns_crash b/changes/set_ns_crash
new file mode 100644
index 0000000000..34466d7ad0
--- /dev/null
+++ b/changes/set_ns_crash
@@ -0,0 +1,4 @@
+  o Major bugfixes:
+    - Avoid a crash bug triggered by looking at a dangling pointer while
+      setting the network status consensus. Found by Robert Ransom.
+      Bugfix on 0.2.2.17-alpha.  Fixes bug 2097.
diff --git a/src/or/networkstatus.c b/src/or/networkstatus.c
index 1d8a20be11..27049d9ef2 100644
--- a/src/or/networkstatus.c
+++ b/src/or/networkstatus.c
@@ -1706,6 +1706,10 @@ networkstatus_set_current_consensus(const char *consensus,
     if (current_consensus) {
       networkstatus_copy_old_consensus_info(c, current_consensus);
       networkstatus_vote_free(current_consensus);
+      /* Defensive programming : we should set current_consensus very soon,
+       * but we're about to call some stuff in the meantime, and leaving this
+       * dangling pointer around has proven to be trouble. */
+       current_consensus = NULL;
     }
   }
 
@@ -1731,13 +1735,6 @@ networkstatus_set_current_consensus(const char *consensus,
       download_status_failed(&consensus_dl_status[flav], 0);
   }
 
-  if (directory_caches_dir_info(options)) {
-    dirserv_set_cached_consensus_networkstatus(consensus,
-                                               flavor,
-                                               &c->digests,
-                                               c->valid_after);
-  }
-
   if (flav == USABLE_CONSENSUS_FLAVOR) {
     current_consensus = c;
     c = NULL; /* Prevent free. */
@@ -1754,6 +1751,13 @@ networkstatus_set_current_consensus(const char *consensus,
     circuit_build_times_new_consensus_params(&circ_times, current_consensus);
   }
 
+  if (directory_caches_dir_info(options)) {
+    dirserv_set_cached_consensus_networkstatus(consensus,
+                                               flavor,
+                                               &c->digests,
+                                               c->valid_after);
+  }
+
   if (!from_cache) {
     write_str_to_file(consensus_fname, consensus, 0);
   }