Commit 9ca2394d authored by David Goulet's avatar David Goulet 🔆
Browse files

channel: Fix use after free in channel_do_open_actions()

Fortunately, our tor_free() is setting the variable to NULL after so we were
in a situation where NULL was always used instead of the transport name.

This first appeared in 894ff2dc and results in
basically no bridge with a transport being able to use DoS defenses.

Fixes #40345

Signed-off-by: David Goulet's avatarDavid Goulet <dgoulet@torproject.org>
parent 94fb308c
Pipeline #4226 passed with stage
in 17 minutes and 25 seconds
o Minor bugfixes (channel, DoS):
- Fix a possible non fatal assertion BUG() due to a too early free of a
string when noting down the client connection for the DoS defenses
subsystem. Fixes bug 40345; bugfix on 0.4.3.4-rc
......@@ -1887,11 +1887,11 @@ channel_do_open_actions(channel_t *chan)
geoip_note_client_seen(GEOIP_CLIENT_CONNECT,
&remote_addr, transport_name,
now);
tor_free(transport_name);
/* Notify the DoS subsystem of a new client. */
if (tlschan && tlschan->conn) {
dos_new_client_conn(tlschan->conn, transport_name);
}
tor_free(transport_name);
}
/* Otherwise the underlying transport can't tell us this, so skip it */
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment