aljaz/lightning
1
0
Fork 0
mirror of https://github.com/aljazceru/lightning.git synced 2026-02-12 01:24:23 +01:00
Code Issues Packages Projects Releases Wiki Activity

gossip: Do not cleanup broadcast messages

Browse Source 
Freeing the messages results in a use-after-free when the next peer
attempts to synchronize.
This commit is contained in:
Christian Decker
2017-03-09 11:16:37 +01:00
parent f0c838d250
commit 5277787db5
1 changed files with 10 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
lightningd/gossip/gossip.c
View File

@@ -177,19 +177,20 @@ static void wake_pkt_out(struct peer *peer)
static struct io_plan *peer_dump_gossip(struct io_conn *conn, struct peer *peer)
{
struct queued_message *next;
next = next_broadcast_message(
peer->daemon->rstate->broadcasts, &peer->broadcast_index);
next = next_broadcast_message(peer->daemon->rstate->broadcasts,
&peer->broadcast_index);
if (!next) {
new_reltimer(&peer->daemon->timers, peer, time_from_sec(30), wake_pkt_out, peer);
/* Going to wake up in pkt_out since we mix time based and message based wakeups */
new_reltimer(&peer->daemon->timers, peer, time_from_sec(30),
wake_pkt_out, peer);
/* Going to wake up in pkt_out since we mix time based and
* message based wakeups */
return io_out_wait(conn, peer, pkt_out, peer);
} else {
struct io_plan *ret;
ret = peer_write_message(conn, &peer->pcs, next->payload,
peer_dump_gossip);
tal_free(next);
return ret;
/* Do not free the message after send, queue_broadcast takes
* care of that */
return peer_write_message(conn, &peer->pcs, next->payload,
peer_dump_gossip);
}
}