[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[tor-commits] [tor/maint-0.4.4] channel: Fix use after free in channel_do_open_actions()
commit 9ca2394d6b51242bb5cf380757be5869d2a44c3c
Author: David Goulet <dgoulet@xxxxxxxxxxxxxx>
Date: Tue Mar 23 09:19:41 2021 -0400
channel: Fix use after free in channel_do_open_actions()
Fortunately, our tor_free() is setting the variable to NULL after so we were
in a situation where NULL was always used instead of the transport name.
This first appeared in 894ff2dc8422cb86312c512698acd76476224f87 and results in
basically no bridge with a transport being able to use DoS defenses.
Fixes #40345
Signed-off-by: David Goulet <dgoulet@xxxxxxxxxxxxxx>
---
changes/ticket40345 | 5 +++++
src/core/or/channel.c | 2 +-
2 files changed, 6 insertions(+), 1 deletion(-)
diff --git a/changes/ticket40345 b/changes/ticket40345
new file mode 100644
index 0000000000..246e4a86af
--- /dev/null
+++ b/changes/ticket40345
@@ -0,0 +1,5 @@
+ o Minor bugfixes (channel, DoS):
+ - Fix a possible non fatal assertion BUG() due to a too early free of a
+ string when noting down the client connection for the DoS defenses
+ subsystem. Fixes bug 40345; bugfix on 0.4.3.4-rc
+
diff --git a/src/core/or/channel.c b/src/core/or/channel.c
index 9194718e3d..50c03de846 100644
--- a/src/core/or/channel.c
+++ b/src/core/or/channel.c
@@ -1887,11 +1887,11 @@ channel_do_open_actions(channel_t *chan)
geoip_note_client_seen(GEOIP_CLIENT_CONNECT,
&remote_addr, transport_name,
now);
- tor_free(transport_name);
/* Notify the DoS subsystem of a new client. */
if (tlschan && tlschan->conn) {
dos_new_client_conn(tlschan->conn, transport_name);
}
+ tor_free(transport_name);
}
/* Otherwise the underlying transport can't tell us this, so skip it */
}
_______________________________________________
tor-commits mailing list
tor-commits@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits