From 2a48c70fa17df09d1315c37426c3c48f6414f701 Mon Sep 17 00:00:00 2001 From: David Barksdale Date: Mon, 9 Oct 2017 16:11:35 -0500 Subject: [PATCH] Fix use-after-free in revalidate_address --- .../gnunet-service-transport_validation.c | 20 +++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/src/transport/gnunet-service-transport_validation.c b/src/transport/gnunet-service-transport_validation.c index 5a8539f72..27c3c7041 100644 --- a/src/transport/gnunet-service-transport_validation.c +++ b/src/transport/gnunet-service-transport_validation.c @@ -697,6 +697,7 @@ revalidate_address (void *cls) struct GNUNET_TIME_Relative canonical_delay; struct GNUNET_TIME_Relative delay; struct GNUNET_TIME_Relative blocked_for; + struct GST_BlacklistCheck *bc; uint32_t rdelay; ve->revalidation_task = NULL; @@ -788,12 +789,19 @@ revalidate_address (void *cls) GST_blacklist_test_cancel (ve->bc); ve->bc = NULL; } - ve->bc = GST_blacklist_test_allowed (&ve->address->peer, - ve->address->transport_name, - &transmit_ping_if_allowed, - ve, - NULL, - NULL); + bc = GST_blacklist_test_allowed (&ve->address->peer, + ve->address->transport_name, + &transmit_ping_if_allowed, + ve, + NULL, + NULL); + if (NULL != bc) + { + /* If transmit_ping_if_allowed was already called it may have freed ve, + * so only set ve->bc if it has not been called. + */ + ve->bc = bc; + } } -- 2.25.1