use-after-free in cpuworker_onion_handshake_replyfn()
Running git master (37d16c3c) on moria1 I see in my valgrind:
==60115== Invalid read of size 4
==60115== at 0x1F861E: cpuworker_onion_handshake_replyfn (cpuworker.c:339)
==60115== by 0x23FCF1: replyqueue_process (workqueue.c:482)
==60115== by 0x50B9B43: event_base_loop (in /usr/lib64/libevent-1.4.so.2.1.3)
==60115== by 0x13A570: do_main_loop (main.c:2117)
==60115== by 0x13BED4: tor_main (main.c:3096)
==60115== by 0x5D49D5C: (below main) (in /lib64/libc-2.12.so)
==60115== Address 0x148e5360 is 0 bytes inside a block of size 376 free'd
==60115== at 0x4A06430: free (vg_replace_malloc.c:446)
==60115== by 0x1B6823: circuit_close_all_marked (circuitlist.c:460)
==60115== by 0x13E74F: second_elapsed_callback (main.c:1594)
==60115== by 0x50B9B43: event_base_loop (in /usr/lib64/libevent-1.4.so.2.1.3)
==60115== by 0x13A570: do_main_loop (main.c:2117)
==60115== by 0x13BED4: tor_main (main.c:3096)
==60115== by 0x5D49D5C: (below main) (in /lib64/libc-2.12.so)
==60115==
==60115== Invalid read of size 2
==60115== at 0x1F862B: cpuworker_onion_handshake_replyfn (cpuworker.c:351)
==60115== by 0x23FCF1: replyqueue_process (workqueue.c:482)
==60115== by 0x50B9B43: event_base_loop (in /usr/lib64/libevent-1.4.so.2.1.3)
==60115== by 0x13A570: do_main_loop (main.c:2117)
==60115== by 0x13BED4: tor_main (main.c:3096)
==60115== by 0x5D49D5C: (below main) (in /lib64/libc-2.12.so)
==60115== Address 0x148e53e0 is 128 bytes inside a block of size 376 free'd
==60115== at 0x4A06430: free (vg_replace_malloc.c:446)
==60115== by 0x1B6823: circuit_close_all_marked (circuitlist.c:460)
==60115== by 0x13E74F: second_elapsed_callback (main.c:1594)
==60115== by 0x50B9B43: event_base_loop (in /usr/lib64/libevent-1.4.so.2.1.3)
==60115== by 0x13A570: do_main_loop (main.c:2117)
==60115== by 0x13BED4: tor_main (main.c:3096)
==60115== by 0x5D49D5C: (below main) (in /lib64/libc-2.12.so)
==60115==
==60115== Invalid write of size 8
==60115== at 0x1F8633: cpuworker_onion_handshake_replyfn (cpuworker.c:349)
==60115== by 0x23FCF1: replyqueue_process (workqueue.c:482)
==60115== by 0x50B9B43: event_base_loop (in /usr/lib64/libevent-1.4.so.2.1.3)
==60115== by 0x13A570: do_main_loop (main.c:2117)
==60115== by 0x13BED4: tor_main (main.c:3096)
==60115== by 0x5D49D5C: (below main) (in /lib64/libc-2.12.so)
==60115== Address 0x148e5430 is 208 bytes inside a block of size 376 free'd
==60115== at 0x4A06430: free (vg_replace_malloc.c:446)
==60115== by 0x1B6823: circuit_close_all_marked (circuitlist.c:460)
==60115== by 0x13E74F: second_elapsed_callback (main.c:1594)
==60115== by 0x50B9B43: event_base_loop (in /usr/lib64/libevent-1.4.so.2.1.3)
==60115== by 0x13A570: do_main_loop (main.c:2117)
==60115== by 0x13BED4: tor_main (main.c:3096)
==60115== by 0x5D49D5C: (below main) (in /lib64/libc-2.12.so)
(Looks like one bug with three different symptoms)