From b80ad95f1c576b53e51c422b51d0c65579aa13ac Mon Sep 17 00:00:00 2001 From: Antoine Poinsot Date: Tue, 8 Sep 2020 11:39:52 +0200 Subject: [PATCH] channel_control: fix an use-after-free As the cmd gets freed on a received error, the node id in which we iterate in `process_check_funding_broadcast` may gets freed while we are using it. Signed-off-by: Antoine Poinsot --- lightningd/channel_control.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/lightningd/channel_control.c b/lightningd/channel_control.c index c74f42c08..aa0fadf99 100644 --- a/lightningd/channel_control.c +++ b/lightningd/channel_control.c @@ -735,10 +735,10 @@ static void process_check_funding_broadcast(struct bitcoind *bitcoind, /* Peer could have errored out while we were waiting */ peer = peer_by_id(bitcoind->ld, &cc->peer); if (!peer) - return; + goto cleanup; cancel = find_channel_by_id(peer, &cc->cid); if (!cancel) - return; + goto cleanup; if (txout != NULL) { for (size_t i = 0; i < tal_count(cancel->forgets); i++) @@ -748,13 +748,17 @@ static void process_check_funding_broadcast(struct bitcoind *bitcoind, "please consider `close` or `dev-fail`! ")); tal_free(cancel->forgets); cancel->forgets = tal_arr(cancel, struct command *, 0); - return; + goto cleanup; } char *error_reason = "Cancel channel by our RPC " "command before funding " "transaction broadcast."; forget_channel(cancel, error_reason); + +cleanup: + tal_free(cc); + return; } struct command_result *cancel_channel_before_broadcast(struct command *cmd, @@ -823,7 +827,7 @@ struct command_result *cancel_channel_before_broadcast(struct command *cmd, &cancel_channel->funding_txid, cancel_channel->funding_outnum, process_check_funding_broadcast, - notleak(cc)); + notleak(tal_steal(NULL, cc))); return command_still_pending(cmd); }