From e9a2778efa6e4ee9940cdb56face621dc319787f Mon Sep 17 00:00:00 2001
From: Florian Dold <florian.dold@gmail.com>
Date: Mon, 9 Dec 2013 20:27:32 +0000
Subject: - fix use after free in set union (#3178)

---
 src/set/gnunet-service-set_union.c | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'src/set/gnunet-service-set_union.c')

diff --git a/src/set/gnunet-service-set_union.c b/src/set/gnunet-service-set_union.c
index be50ec8d6..6bb28471a 100644
--- a/src/set/gnunet-service-set_union.c
+++ b/src/set/gnunet-service-set_union.c
@@ -982,12 +982,15 @@ send_done_and_destroy (void *cls)
   struct Operation *op = cls;
   struct GNUNET_MQ_Envelope *ev;
   struct GNUNET_SET_ResultMessage *rm;
+  int keep = op->keep;
   ev = GNUNET_MQ_msg (rm, GNUNET_MESSAGE_TYPE_SET_RESULT);
   rm->request_id = htonl (op->spec->client_request_id);
   rm->result_status = htons (GNUNET_SET_STATUS_DONE);
   rm->element_type = htons (0);
   GNUNET_MQ_send (op->spec->set->client_mq, ev);
   _GSS_operation_destroy (op);
+  if (GNUNET_YES == keep)
+    GNUNET_free (op);
 }
 
 
@@ -1060,6 +1063,8 @@ finish_and_destroy (struct Operation *op)
 
   if (GNUNET_SET_RESULT_FULL == op->spec->result_mode)
   {
+    /* prevent that the op is free'd by the tunnel end handler */
+    op->keep = GNUNET_YES;
     GNUNET_log (GNUNET_ERROR_TYPE_DEBUG, "sending full result set\n");
     GNUNET_assert (NULL == op->state->full_result_iter);
     op->state->full_result_iter =
-- 
cgit v1.2.3