From a845b07ada7c9348353008f2995588f7cc14d220 Mon Sep 17 00:00:00 2001
From: Rusty Russell <rusty@rustcorp.com.au>
Date: Tue, 7 Mar 2017 11:38:20 +1030
Subject: [PATCH] lightningd/cryptomsg: only free written messages if they're
 marked take().

This fixes a leak in gossip, too.

Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
---
 lightningd/cryptomsg.c     |  3 +++
 lightningd/cryptomsg.h     |  2 +-
 lightningd/gossip/gossip.c | 12 ++++++++----
 3 files changed, 12 insertions(+), 5 deletions(-)

diff --git a/lightningd/cryptomsg.c b/lightningd/cryptomsg.c
index e28547360..1213ed214 100644
--- a/lightningd/cryptomsg.c
+++ b/lightningd/cryptomsg.c
@@ -5,6 +5,7 @@
 #include <ccan/endian/endian.h>
 #include <ccan/mem/mem.h>
 #include <ccan/short_types/short_types.h>
+#include <ccan/take/take.h>
 #include <lightningd/cryptomsg.h>
 #include <sodium/crypto_aead_chacha20poly1305.h>
 #include <status.h>
@@ -313,6 +314,8 @@ struct io_plan *peer_write_message(struct io_conn *conn,
 	assert(!pcs->out);
 
 	pcs->out = cryptomsg_encrypt_msg(conn, &pcs->cs, msg);
+	if (taken(msg))
+		tal_free(msg);
 	pcs->next_out = next;
 
 	/* BOLT #8:
diff --git a/lightningd/cryptomsg.h b/lightningd/cryptomsg.h
index 64d212442..df6a0fa8d 100644
--- a/lightningd/cryptomsg.h
+++ b/lightningd/cryptomsg.h
@@ -39,7 +39,7 @@ struct io_plan *peer_read_message(struct io_conn *conn,
 							  struct peer *,
 							  u8 *msg));
 
-/* Sends and frees message */
+/* Sends message: frees if taken(msg). */
 struct io_plan *peer_write_message(struct io_conn *conn,
 				   struct peer_crypto_state *cs,
 				   const u8 *msg,
diff --git a/lightningd/gossip/gossip.c b/lightningd/gossip/gossip.c
index 1acea299e..36a74f571 100644
--- a/lightningd/gossip/gossip.c
+++ b/lightningd/gossip/gossip.c
@@ -7,6 +7,7 @@
 #include <ccan/list/list.h>
 #include <ccan/noerr/noerr.h>
 #include <ccan/read_write_all/read_write_all.h>
+#include <ccan/take/take.h>
 #include <ccan/tal/str/str.h>
 #include <daemon/broadcast.h>
 #include <daemon/routing.h>
@@ -184,8 +185,11 @@ static struct io_plan *peer_dump_gossip(struct io_conn *conn, struct peer *peer)
 		/* Going to wake up in pkt_out since we mix time based and message based wakeups */
 		return io_out_wait(conn, peer, pkt_out, peer);
 	} else {
-		return peer_write_message(conn, &peer->pcs, next->payload,
-					  peer_dump_gossip);
+		struct io_plan *ret;
+		ret = peer_write_message(conn, &peer->pcs, next->payload,
+					 peer_dump_gossip);
+		tal_free(next);
+		return ret;
 	}
 }
 
@@ -198,7 +202,7 @@ static struct io_plan *pkt_out(struct io_conn *conn, struct peer *peer)
 		out = peer->msg_out[0];
 		memmove(peer->msg_out, peer->msg_out + 1, (sizeof(*peer->msg_out)*(n-1)));
 		tal_resize(&peer->msg_out, n-1);
-		return peer_write_message(conn, &peer->pcs, out, pkt_out);
+		return peer_write_message(conn, &peer->pcs, take(out), pkt_out);
 	}
 
 	if (peer->gossip_sync){
@@ -281,7 +285,7 @@ static struct io_plan *peer_send_init(struct io_conn *conn, struct peer *peer)
 	 * supports.
 	 */
 	return peer_write_message(conn, &peer->pcs,
-				  towire_init(peer, NULL, NULL),
+				  take(towire_init(peer, NULL, NULL)),
 				  peer_init_sent);
 }