From 6a072c4c6ed44fa71a39dbd970b1f09fd933a0f5 Mon Sep 17 00:00:00 2001 From: Christian Decker Date: Sun, 23 Apr 2017 21:31:32 +0200 Subject: [PATCH] Fix a double-free bug in the negotiation phase The callback on `key_negotiate` was closing the connection under certain circumstances and would also `free` the key_negotiate, which would then be freed again once it returns. We steal it off of the connection during the callback and doing the free manually afterwards to make sure this can't happen. Thanks to @jgriffiths for tracking this one down. Fixes #142 Reported-By: @bjd and @bgorlick --- daemon/cryptopkt.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/daemon/cryptopkt.c b/daemon/cryptopkt.c index c11a8fc8a..651007821 100644 --- a/daemon/cryptopkt.c +++ b/daemon/cryptopkt.c @@ -443,6 +443,9 @@ static struct io_plan *recv_body_negotiate(struct io_conn *conn, if (!check_proof(neg, neg->log, pkt, neg->expected_id, &id)) return io_close(conn); + /* Steal so that the callback may not accidentally free it for us */ + tal_steal(NULL, neg); + plan = neg->cb(conn, neg->dstate, neg->iod, neg->log, &id, neg->arg); tal_free(neg); return plan;