channel: Fix use after free in channel_do_open_actions()

Fortunately, our tor_free() is setting the variable to NULL after so we were in a situation where NULL was always used instead of the transport name. This first appeared in 894ff2dc84 and results in basically no bridge with a transport being able to use DoS defenses. Fixes #40345 Signed-off-by: David Goulet <dgoulet@torproject.org>
2024-11-24 04:13:28 +01:00 · 2021-03-23 09:19:41 -04:00 · 2021-03-23 09:19:41 -04:00 · 9ca2394d6b
commit 9ca2394d6b
parent 94fb308c5d
2 changed files with 6 additions and 1 deletions
--- a/changes/ticket40345
+++ b/changes/ticket40345
@ -0,0 +1,5 @@
+  o Minor bugfixes (channel, DoS):
+    - Fix a possible non fatal assertion BUG() due to a too early free of a
+      string when noting down the client connection for the DoS defenses
+      subsystem. Fixes bug 40345; bugfix on 0.4.3.4-rc
+
--- a/src/core/or/channel.c
+++ b/src/core/or/channel.c
@ -1887,11 +1887,11 @@ channel_do_open_actions(channel_t *chan)
        geoip_note_client_seen(GEOIP_CLIENT_CONNECT,
                               &remote_addr, transport_name,
                               now);
-        tor_free(transport_name);
        /* Notify the DoS subsystem of a new client. */
        if (tlschan && tlschan->conn) {
          dos_new_client_conn(tlschan->conn, transport_name);
        }
+        tor_free(transport_name);
      }
      /* Otherwise the underlying transport can't tell us this, so skip it */
    }