diff options
author | ulfvonbelow <strilen@tilde.club> | 2023-01-29 06:17:52 -0600 |
---|---|---|
committer | Martin Schanzenbach <schanzen@gnunet.org> | 2023-02-06 14:05:33 +0900 |
commit | ecea740a0ca2801db85482e5f26c550fe05c9ac3 (patch) | |
tree | 8697312b458c746e4b47b08a13b8e3c29ab80d86 | |
parent | ebdafecb3b388b5c629ce7855d253415be440edf (diff) | |
download | gnunet-ecea740a0ca2801db85482e5f26c550fe05c9ac3.tar.gz gnunet-ecea740a0ca2801db85482e5f26c550fe05c9ac3.zip |
PEERSTORE: fix write-after-free in handle_{iterate_end,watch_record}
One of the tests - I forget which one, didn't write it down at the time -
actually does cause h to be freed in its callback. If this isn't supposed to
be allowed, we should find and fix that test.
Signed-off-by: Martin Schanzenbach <schanzen@gnunet.org>
-rw-r--r-- | src/peerstore/peerstore_api.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/src/peerstore/peerstore_api.c b/src/peerstore/peerstore_api.c index b3e793d93..1c13369cf 100644 --- a/src/peerstore/peerstore_api.c +++ b/src/peerstore/peerstore_api.c | |||
@@ -608,9 +608,10 @@ handle_iterate_end (void *cls, const struct GNUNET_MessageHeader *msg) | |||
608 | callback_cls = ic->callback_cls; | 608 | callback_cls = ic->callback_cls; |
609 | ic->iterating = GNUNET_NO; | 609 | ic->iterating = GNUNET_NO; |
610 | GNUNET_PEERSTORE_iterate_cancel (ic); | 610 | GNUNET_PEERSTORE_iterate_cancel (ic); |
611 | /* NOTE: set this here and not after callback because callback may free h */ | ||
612 | h->reconnect_delay = GNUNET_TIME_UNIT_ZERO; | ||
611 | if (NULL != callback) | 613 | if (NULL != callback) |
612 | callback (callback_cls, NULL, NULL); | 614 | callback (callback_cls, NULL, NULL); |
613 | h->reconnect_delay = GNUNET_TIME_UNIT_ZERO; | ||
614 | } | 615 | } |
615 | 616 | ||
616 | 617 | ||
@@ -781,9 +782,9 @@ handle_watch_record (void *cls, const struct StoreRecordMessage *msg) | |||
781 | disconnect_and_schedule_reconnect (h); | 782 | disconnect_and_schedule_reconnect (h); |
782 | return; | 783 | return; |
783 | } | 784 | } |
785 | h->reconnect_delay = GNUNET_TIME_UNIT_ZERO; | ||
784 | if (NULL != wc->callback) | 786 | if (NULL != wc->callback) |
785 | wc->callback (wc->callback_cls, record, NULL); | 787 | wc->callback (wc->callback_cls, record, NULL); |
786 | h->reconnect_delay = GNUNET_TIME_UNIT_ZERO; | ||
787 | PEERSTORE_destroy_record (record); | 788 | PEERSTORE_destroy_record (record); |
788 | } | 789 | } |
789 | 790 | ||