extra tor_free() for create_cell_t in command_process_create_cell()
In command_process_create_cell() (on master, as of commit da04fed865b6df09b33e6b632d51d34b3eb20d14)
memset(&created_cell, 0, sizeof(created_cell));
len = onion_skin_server_handshake(ONION_HANDSHAKE_TYPE_FAST,
create_cell->onionskin,
create_cell->handshake_len,
NULL,
created_cell.reply,
keys, CPATH_KEY_MATERIAL_LEN,
rend_circ_nonce);
tor_free(create_cell);
if (len < 0) {
log_warn(LD_OR,"Failed to generate key material. Closing.");
circuit_mark_for_close(TO_CIRCUIT(circ), END_CIRC_REASON_INTERNAL);
tor_free(create_cell);
return;
}Which is a double-free (somewhat dependent on what the PREDICT_LIKELY macro generates).
I haven't tested yet, but it might be possible to crash relays with this bug. We should probably patch this ASAP.
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information