2 files changed, 7 insertions, 2 deletions

diff --git a/changes/bug4343 b/changes/bug4343
new file mode 100644
index 000000000..cee272b97
--- /dev/null
+++ b/changes/bug4343
@@ -0,0 +1,5 @@
+  o Major bugfixes:
+    - Fix a double-free bug that would occur when we received an invalid
+      certificate in a CERT cell in the new v3 handshake. Fixes bug 4343;
+      bugfix on 0.2.3.6-alpha.
+
diff --git a/src/or/command.c b/src/or/command.c
index d35e2a9c8..aa5a62d54 100644
--- a/src/or/command.c
+++ b/src/or/command.c
@@ -1020,8 +1020,6 @@ command_process_cert_cell(var_cell_t *cell, or_connection_t *conn)
       ERR("The certs we wanted were missing");
 
     /* Remember these certificates so we can check an AUTHENTICATE cell */
-    conn->handshake_state->id_cert = id_cert;
-    conn->handshake_state->auth_cert = auth_cert;
     if (! tor_tls_cert_is_valid(auth_cert, id_cert, 1))
       ERR("The authentication certificate was not valid");
     if (! tor_tls_cert_is_valid(id_cert, id_cert, 1))
@@ -1032,6 +1030,8 @@ command_process_cert_cell(var_cell_t *cell, or_connection_t *conn)
              safe_str(conn->_base.address), conn->_base.port);
     /* XXXX check more stuff? */
 
+    conn->handshake_state->id_cert = id_cert;
+    conn->handshake_state->auth_cert = auth_cert;
     id_cert = auth_cert = NULL;
   }