peer_control: Fix a use-after-free bug. (#1237)

This bug is a classic case of being lazy: 1. peer_accept_channel() allocated its return off the input message, rather than taking an explicit allocation context. This concealed the lifetime nature of the return. 2. The context for sanitize_error was the error itself, rather than the more obvious tmpctx (connect_failed does not take). The global tmpctx removes the "efficiency" excuse for grabbing a random object to use as context, and is also nice and explicit. All-the-hard-work-by: @ZmnSCPxj
2026-01-06 07:34:21 +01:00 · 2018-03-19 17:27:09 +08:00
parent e56eee50c8
commit 044705a547
4 changed files with 12 additions and 12 deletions
--- a/lightningd/opening_control.h
+++ b/lightningd/opening_control.h
@@ -16,9 +16,10 @@ void json_add_uncommitted_channel(struct json_result *response,

 /* Peer has spontaneously exited from gossip due to open msg.  Return
 * NULL if we took over, otherwise hand back to gossipd with this
- * error.
+ * error (allocated off @ctx).
 */
-u8 *peer_accept_channel(struct lightningd *ld,
+u8 *peer_accept_channel(const tal_t *ctx,
+			struct lightningd *ld,
 			const struct pubkey *peer_id,
 			const struct wireaddr *addr,
 			const struct crypto_state *cs,