From 05a3be15a3a479e3f5f40ed36eefea5664fd40ba Mon Sep 17 00:00:00 2001 From: Christian Decker Date: Fri, 28 May 2021 11:53:41 +0200 Subject: [PATCH] pay: Fix use-after-free issue with routehints in shortlived payments This was triggered by having some part being started after the overall command already gave up, cleaning up the `cmd` context from which the routehints were allocated. The early exit of the command, as a result from a terminal state does not guarantee that no later attempt will try to find a route, especially if the attempt was started before we knew that it is doomed. --- plugins/pay.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/plugins/pay.c b/plugins/pay.c index b08c55c64..95d09ba84 100644 --- a/plugins/pay.c +++ b/plugins/pay.c @@ -2026,7 +2026,7 @@ static struct command_result *json_paymod(struct command *cmd, if (!bolt12_has_prefix(b11str)) { b11 = - bolt11_decode(cmd, b11str, plugin_feature_set(cmd->plugin), + bolt11_decode(p, b11str, plugin_feature_set(cmd->plugin), NULL, chainparams, &b11_fail); if (b11 == NULL) return command_fail(cmd, JSONRPC2_INVALID_PARAMS, @@ -2054,7 +2054,7 @@ static struct command_result *json_paymod(struct command *cmd, "Invalid bolt11:" " sets feature var_onion with no secret"); } else { - b12 = invoice_decode(cmd, b11str, strlen(b11str), + b12 = invoice_decode(p, b11str, strlen(b11str), plugin_feature_set(cmd->plugin), chainparams, &b12_fail); if (b12 == NULL)