Fixed a race condition with cell message passing.

src/core/or/channeltls.c

@@ -857,6 +857,7 @@ channel_tls_write_packed_cell_method(channel_t *chan,
     //                        TO_CONN(tlschan->conn));
     if (connection_may_write_to_buf(TO_CONN(tlschan->conn))) {
       event_data_t event_data = { .ptr = packed_cell };
+      packed_cell = NULL;
       event_source_publish(TO_CONN(tlschan->conn)->event_source,
                            or_conn_outgoing_packed_cell, event_data,
                            void_packed_cell_free);

src/core/or/connection_or.c

@@ -2443,10 +2443,6 @@ connection_or_write_cell_to_buf(const cell_t *cell, or_connection_t *conn)
 
   //connection_buf_add(networkcell.body, cell_network_size, TO_CONN(conn));
 
-  event_data_t event_data = { .ptr = cell };
-  event_source_publish(TO_CONN(conn)->event_source,
-                       or_conn_outgoing_fixed_cell, event_data, tor_free_);
-
   /* Touch the channel's active timestamp if there is one */
   if (conn->chan) {
     channel_timestamp_active(TLS_CHAN_TO_BASE(conn->chan));
@@ -2460,6 +2456,11 @@ connection_or_write_cell_to_buf(const cell_t *cell, or_connection_t *conn)
 
   if (conn->base_.state == OR_CONN_STATE_OR_HANDSHAKING_V3)
     or_handshake_state_record_cell(conn, conn->handshake_state, cell, 0);
+
+  event_data_t event_data = { .ptr = cell };
+  cell = NULL;
+  event_source_publish(TO_CONN(conn)->event_source,
+                       or_conn_outgoing_fixed_cell, event_data, tor_free_);
 }
 
 static void
@@ -2485,11 +2486,6 @@ connection_or_write_var_cell_to_buf,(const var_cell_t *cell,
   //connection_buf_add((char*)cell->payload,
   //                        cell->payload_len, TO_CONN(conn));
 
-  event_data_t event_data = { .ptr = cell };
-  event_source_publish(TO_CONN(conn)->event_source,
-                       or_conn_outgoing_variable_cell, event_data,
-                       void_var_cell_free);
-
   if (conn->base_.state == OR_CONN_STATE_OR_HANDSHAKING_V3)
     or_handshake_state_record_var_cell(conn, conn->handshake_state, cell, 0);
 
@@ -2497,6 +2493,12 @@ connection_or_write_var_cell_to_buf,(const var_cell_t *cell,
   /* Touch the channel's active timestamp if there is one */
   if (conn->chan)
     channel_timestamp_active(TLS_CHAN_TO_BASE(conn->chan));
+
+  event_data_t event_data = { .ptr = cell };
+  cell = NULL;
+  event_source_publish(TO_CONN(conn)->event_source,
+                       or_conn_outgoing_variable_cell, event_data,
+                       void_var_cell_free);
 }
 
 ///** See whether there's a variable-length cell waiting on <b>or_conn</b>'s
@@ -2624,6 +2626,7 @@ connection_or_send_versions(or_connection_t *conn, int v3_plus)
   cell->payload_len = n_versions * 2;
 
   connection_or_write_var_cell_to_buf(cell, conn);
+  cell = NULL;
   conn->handshake_state->sent_versions_at = time(NULL);
 
   //var_cell_free(cell);
@@ -2732,6 +2735,7 @@ connection_or_send_netinfo,(or_connection_t *conn))
   conn->handshake_state->digest_sent_data = 0;
   conn->handshake_state->sent_netinfo = 1;
   connection_or_write_cell_to_buf(cell, conn);
+  cell = NULL;
 
   r = 0;
  cleanup:
@@ -2883,6 +2887,7 @@ connection_or_send_certs_cell(or_connection_t *conn)
   cell->payload_len = enc_len;
 
   connection_or_write_var_cell_to_buf(cell, conn);
+  cell = NULL;
   //var_cell_free(cell);
   certs_cell_free(certs_cell);
   //tor_x509_cert_free(own_link_cert);
@@ -2973,6 +2978,7 @@ connection_or_send_auth_challenge_cell(or_connection_t *conn)
   cell->command = CELL_AUTH_CHALLENGE;
 
   connection_or_write_var_cell_to_buf(cell, conn);
+  cell = NULL;
   r = 0;
 
  done:
@@ -3278,6 +3284,7 @@ connection_or_send_authenticate_cell,(or_connection_t *conn, int authtype))
     return -1;
   }
   connection_or_write_var_cell_to_buf(cell, conn);
+  cell = NULL;
   //var_cell_free(cell);
 
   return 0;