aljaz/lightning
1
0
Fork 0
mirror of https://github.com/aljazceru/lightning.git synced 2025-12-24 09:34:24 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix a double-free bug in the negotiation phase

Browse Source 
The callback on `key_negotiate` was closing the connection under
certain circumstances and would also `free` the key_negotiate, which
would then be freed again once it returns. We steal it off of the
connection during the callback and doing the free manually afterwards
to make sure this can't happen.

Thanks to @jgriffiths for tracking this one down.

Fixes #142

Reported-By: @bjd and @bgorlick
This commit is contained in:
Christian Decker
2017-04-23 21:31:32 +02:00
committed by Rusty Russell
parent 52ee36c595
commit 6a072c4c6e
1 changed files with 3 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
daemon/cryptopkt.c
View File

@@ -443,6 +443,9 @@ static struct io_plan *recv_body_negotiate(struct io_conn *conn,
if (!check_proof(neg, neg->log, pkt, neg->expected_id, &id))
return io_close(conn);
/* Steal so that the callback may not accidentally free it for us */
tal_steal(NULL, neg);
plan = neg->cb(conn, neg->dstate, neg->iod, neg->log, &id, neg->arg);
tal_free(neg);
return plan;