mirrors/core-lightning
1
0
Fork 0
mirror of https://github.com/ElementsProject/lightning.git synced 2024-11-19 09:54:16 +01:00
Code Issues Projects Releases Wiki Activity

jsonrpc: use-after-free bug due to unspecified free behavior 2/2

Browse Source 
Using pc after free in the pay_command_destroyed destructor, so
we just steal cmd onto pc so free order is the one we want.

[ Edit: expanded comment, split commit ]
Signed-off-by: Christian Decker <decker.christian@gmail.com>
This commit is contained in:
Rusty Russell 2017-09-28 13:01:47 +09:30
parent eac770760c
commit 3f9ec6c2fa
1 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
lightningd/pay.c
View File

@ -333,6 +333,11 @@ static void json_sendpay(struct command *cmd,
/* Wait until we get response. */
tal_add_destructor2(cmd, remove_cmd_from_pc, pc);
/* They're both children of ld, but on shutdown make sure we
* destroy the command before the pc, otherwise the
* remove_cmd_from_pc destructor causes a use-after-free */
tal_steal(pc, cmd);
failcode = send_htlc_out(peer, amount, first_hop_data.outgoing_cltv,
&rhash, onion, NULL, pc, &pc->out);
if (failcode) {