Commit 223e7cfa authored by Nick Mathewson's avatar Nick Mathewson 🎨
Browse files

When iterating over connections pending DNS, skip marked ones

Failure to do this would lead to double-free cases and similar,
especially when the exit's DNS was broken. See bug 6472 for full
details; this is a fix for 6472.

Anonymous patch from "cypherpunks" on trac.
parent 9ed87b37
o Minor bugfixes:
- Avoid a pair of double-free and use-after-mark bugs that can
occur with certain timings in canceled and re-received DNS
requests. Fix for bug 6472; bugfix on 0.0.7rc1.
......@@ -450,16 +450,17 @@ purge_expired_resolves(time_t now)
if (resolve->pending_connections) {
"Closing pending connections on timed-out DNS resolve!");
while (resolve->pending_connections) {
pend = resolve->pending_connections;
resolve->pending_connections = pend->next;
/* Connections should only be pending if they have no socket. */
pendconn = pend->conn;
if (!pendconn->_base.marked_for_close) {
connection_edge_end(pendconn, END_STREAM_REASON_TIMEOUT);
circuit_detach_stream(circuit_get_by_edge_conn(pendconn), pendconn);
......@@ -1091,6 +1092,13 @@ dns_found_answer(const char *address, uint8_t is_reverse, uint32_t addr,
pendconn = pend->conn; /* don't pass complex things to the
connection_mark_for_close macro */
if (pendconn->_base.marked_for_close) {
/* prevent double-remove. */
pendconn->_base.state = EXIT_CONN_STATE_RESOLVEFAILED;
resolve->pending_connections = pend->next;
tor_addr_from_ipv4h(&pendconn->_base.addr, addr);
pendconn->address_ttl = ttl;
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment