From 5277787db5e94fda52098dbab20c8c18d68834d6 Mon Sep 17 00:00:00 2001 From: Christian Decker Date: Thu, 9 Mar 2017 11:16:37 +0100 Subject: [PATCH] gossip: Do not cleanup broadcast messages Freeing the messages results in a use-after-free when the next peer attempts to synchronize. --- lightningd/gossip/gossip.c | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/lightningd/gossip/gossip.c b/lightningd/gossip/gossip.c index 36a74f571..eba07f20c 100644 --- a/lightningd/gossip/gossip.c +++ b/lightningd/gossip/gossip.c @@ -177,19 +177,20 @@ static void wake_pkt_out(struct peer *peer) static struct io_plan *peer_dump_gossip(struct io_conn *conn, struct peer *peer) { struct queued_message *next; - next = next_broadcast_message( - peer->daemon->rstate->broadcasts, &peer->broadcast_index); + next = next_broadcast_message(peer->daemon->rstate->broadcasts, + &peer->broadcast_index); if (!next) { - new_reltimer(&peer->daemon->timers, peer, time_from_sec(30), wake_pkt_out, peer); - /* Going to wake up in pkt_out since we mix time based and message based wakeups */ + new_reltimer(&peer->daemon->timers, peer, time_from_sec(30), + wake_pkt_out, peer); + /* Going to wake up in pkt_out since we mix time based and + * message based wakeups */ return io_out_wait(conn, peer, pkt_out, peer); } else { - struct io_plan *ret; - ret = peer_write_message(conn, &peer->pcs, next->payload, - peer_dump_gossip); - tal_free(next); - return ret; + /* Do not free the message after send, queue_broadcast takes + * care of that */ + return peer_write_message(conn, &peer->pcs, next->payload, + peer_dump_gossip); } }