connectd: fix double-free crash on connection timeout.

tmpctx may not get cleaned immediately, so the timeout (a child of the struct early_peer at this point) can still outlast the conn. Do the clearer thing, and explicitly free the timeout. Changelog-Fixed: connectd: crash on erroneous timeout. Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2024-11-19 01:43:36 +01:00 · 2024-10-14 11:02:08 +10:30 · 2024-10-14 11:02:08 +10:30 · 4e6bac6d36
commit 4e6bac6d36
parent f9e28b9bfa
1 changed files with 7 additions and 3 deletions
--- a/connectd/peer_exchange_initmsg.c
+++ b/connectd/peer_exchange_initmsg.c
@ -31,6 +31,9 @@ struct early_peer {
 	enum is_websocket is_websocket;

 	bool incoming;
+
+	/* Timeout in case it takes too long */
+	struct oneshot *timeout;
 };

 static bool contains_common_chain(struct bitcoin_blkid *chains)
@ -128,6 +131,9 @@ static struct io_plan *peer_init_received(struct io_conn *conn,
 	 * window where it was: combine the two. */
 	features = featurebits_or(tmpctx, take(features), globalfeatures);

+	/* No longer timing out! */
+	tal_free(peer->timeout);
+
 	/* We can dispose of peer after next call. */
 	tal_steal(tmpctx, peer);

@ -206,9 +212,7 @@ struct io_plan *peer_exchange_initmsg(struct io_conn *conn,
 	peer->cs = *cs;
 	peer->incoming = incoming;
 	peer->is_websocket = is_websocket;
-
-	/* Attach timer to early peer, so it gets freed with it. */
-	notleak(tal_steal(peer, timeout));
+	peer->timeout = timeout;

 	/* BOLT #1:
 	 *