From 2527e4072121667966226b9da4f8c481011f3b2f Mon Sep 17 00:00:00 2001 From: Bart Polot Date: Fri, 26 Jun 2015 15:04:02 +0000 Subject: [PATCH] - GNUNET_CADET_disconnect will destroy pending channels and call the cleanup callback on them, and cleanup_channel does access peer_map. If peer_map is destroyed before CADET_disconnect, a use-after-free happens. --- src/rps/gnunet-service-rps.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/rps/gnunet-service-rps.c b/src/rps/gnunet-service-rps.c index 47627fb51..35d11e90c 100644 --- a/src/rps/gnunet-service-rps.c +++ b/src/rps/gnunet-service-rps.c @@ -2380,7 +2380,7 @@ peer_remove_cb (void *cls, const struct GNUNET_PeerIdentity *key, void *value) 0); } - /* If we are still waiting for notification whether this peer is live + /* If we are still waiting for notification whether this peer is live * cancel the according task */ if (NULL != peer_ctx->is_live_task) { @@ -2498,8 +2498,8 @@ shutdown_task (void *cls, "Size of the peermap: %u\n", GNUNET_CONTAINER_multipeermap_size (peer_map)); GNUNET_break (0 == GNUNET_CONTAINER_multipeermap_size (peer_map)); - GNUNET_CONTAINER_multipeermap_destroy (peer_map); GNUNET_CADET_disconnect (cadet_handle); + GNUNET_CONTAINER_multipeermap_destroy (peer_map); GNUNET_CONTAINER_multipeermap_destroy (view); view = NULL; GNUNET_array_grow (push_list, push_list_size, 0); -- 2.25.1