From f7222e6d8cf31ce0e2a4653477ab42645c045db6 Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Fri, 29 Sep 2017 10:00:14 -0400 Subject: [PATCH] Clear outbuf_flushlen when we clear a connection's outbuf When we added single_conn_free_bytes(), we cleared the outbuf on a connection without setting outbuf_flushlen() to 0. This could cause an assertion failure later on in flush_buf(). Fixes bug 23690; bugfix on 0.2.6.1-alpha. --- changes/bug23690 | 5 +++++ src/or/circuitlist.c | 1 + 2 files changed, 6 insertions(+) create mode 100644 changes/bug23690 diff --git a/changes/bug23690 b/changes/bug23690 new file mode 100644 index 000000000..36ff32e49 --- /dev/null +++ b/changes/bug23690 @@ -0,0 +1,5 @@ + o Major bugfixes (relay, crash, assertion failure): + - Fix a timing-based assertion failure that could occur when the + circuit out-of-memory handler freed a connection's output buffer. + Fixes bug 23690; bugfix on 0.2.6.1-alpha. + diff --git a/src/or/circuitlist.c b/src/or/circuitlist.c index d7dbfe574..b71048590 100644 --- a/src/or/circuitlist.c +++ b/src/or/circuitlist.c @@ -1939,6 +1939,7 @@ single_conn_free_bytes(connection_t *conn) if (conn->outbuf) { result += buf_allocation(conn->outbuf); buf_clear(conn->outbuf); + conn->outbuf_flushlen = 0; } if (conn->type == CONN_TYPE_DIR) { dir_connection_t *dir_conn = TO_DIR_CONN(conn);