From b9cf19175bacaa7579764114b663ecf58b675729 Mon Sep 17 00:00:00 2001 From: Christian Decker Date: Tue, 7 Jan 2020 20:05:00 +0100 Subject: [PATCH] pay: Fix a use-after-free bug `wallet_payment_store` frees the unstored payment after it has stored it, but we still need that instance for our notifications. This is the smallest possible fix, but I plan to refactor this out. --- lightningd/pay.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/lightningd/pay.c b/lightningd/pay.c index 014fd27e5..64d6897f2 100644 --- a/lightningd/pay.c +++ b/lightningd/pay.c @@ -606,8 +606,13 @@ void payment_failed(struct lightningd *ld, const struct htlc_out *hout, failmsg, fail ? fail->channel_dir : 0); - tell_waiters_failed(ld, &hout->payment_hash, payment, - pay_errcode, hout->failuremsg, fail, failmsg); + /* payment_store -> wallet_payment_store just freed `payment` from + * under us (useless indirection), so reload it in order to publish + * the notification. */ + payment = wallet_payment_by_hash(tmpctx, ld->wallet, + &hout->payment_hash, hout->partid); + tell_waiters_failed(ld, &hout->payment_hash, payment, pay_errcode, + hout->failuremsg, fail, failmsg); } /* Wait for a payment. If cmd is deleted, then wait_payment()