Avoid use-after-free of circ belonging to cancelled job · 7337510090 - CrySP Git Service

Avoid use-after-free of circ belonging to cancelled job

This fixes a bug where we decide to free the circuit because it isn't on
any workqueue anymore, and then the job finishes and the circuit gets
freed again.

Fixes bug #14815, not in any released version of Tor.

Sebastian Hahn 9 years ago

parent

37d16c3cc7

commit

7337510090

1 changed files with 1 additions and 2 deletions

Split View Show Diff Stats

						
							+ 1
							
							- 2
						
src/or/cpuworker.c
							 
								View File
							
				@@ -556,8 +556,7 @@ cpuworker_cancel_circ_handshake(or_circuit_t *circ)
			
				     tor_free(job);
			
				     tor_assert(total_pending_tasks > 0);
			
				     --total_pending_tasks;
			
				+    circ->workqueue_entry = NULL;
			
				   }
			
				-
			
				-  circ->workqueue_entry = NULL;
			
				 }