From af7e0a11831e512169098c244deee1c12a02df67 Mon Sep 17 00:00:00 2001 From: Rusty Russell Date: Fri, 1 Oct 2021 06:49:37 +0930 Subject: [PATCH] offers: save replytok properly. We carefully copied the buffer, but the tok is inside an array. We get away with it for now, but with coming changes it gets freed. We need to copy the token and all the tokens within it. Signed-off-by: Rusty Russell --- plugins/offers_inv_hook.c | 3 ++- plugins/offers_invreq_hook.c | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/plugins/offers_inv_hook.c b/plugins/offers_inv_hook.c index 2e6ad7eff..8d5ebfbd9 100644 --- a/plugins/offers_inv_hook.c +++ b/plugins/offers_inv_hook.c @@ -327,7 +327,8 @@ struct command_result *handle_invoice(struct command *cmd, /* Make a copy of entire buffer, for later. */ inv->buf = tal_dup_arr(inv, char, buf, replytok->end, 0); - inv->replytok = replytok; + inv->replytok = tal_dup_arr(inv, jsmntok_t, replytok, + json_next(replytok) - replytok, 0); inv->inv = tlv_invoice_new(cmd); if (!fromwire_invoice(&invbin, &len, inv->inv)) { diff --git a/plugins/offers_invreq_hook.c b/plugins/offers_invreq_hook.c index 4a0d6a956..8d27f2edc 100644 --- a/plugins/offers_invreq_hook.c +++ b/plugins/offers_invreq_hook.c @@ -838,7 +838,8 @@ struct command_result *handle_invoice_request(struct command *cmd, /* Make a copy of entire buffer, for later. */ ir->buf = tal_dup_arr(ir, char, buf, replytok->end, 0); - ir->replytok = replytok; + ir->replytok = tal_dup_arr(ir, jsmntok_t, replytok, + json_next(replytok) - replytok, 0); ir->invreq = tlv_invoice_request_new(cmd); if (!fromwire_invoice_request(&invreqbin, &len, ir->invreq)) {