From daf0c12b555bc2baf59b97a7279a8f3f5db16511 Mon Sep 17 00:00:00 2001
From: Christian Grothoff <christian@grothoff.org>
Date: Mon, 9 Jan 2017 07:10:37 +0100
Subject: [PATCH] fix crashes caused by DLL removes preceeding DLL inserts

---
 src/cadet/gnunet-service-cadet_connection.c | 9 +++++----
 src/cadet/gnunet-service-cadet_peer.c       | 6 ++++--
 2 files changed, 9 insertions(+), 6 deletions(-)

diff --git a/src/cadet/gnunet-service-cadet_connection.c b/src/cadet/gnunet-service-cadet_connection.c
index 1c500f716..fa2bb962b 100644
--- a/src/cadet/gnunet-service-cadet_connection.c
+++ b/src/cadet/gnunet-service-cadet_connection.c
@@ -685,7 +685,7 @@ conn_message_sent (void *cls,
     LOG (GNUNET_ERROR_TYPE_INFO,
          ">>> %s (%s %4u) on conn %s (%p) %s [%5u] in queue %s\n",
          GC_m2s (type), GC_m2s (payload_type), pid, GCC_2s (c), c,
-         GC_f2s(fwd), size,
+         GC_f2s (fwd), size,
          GNUNET_STRINGS_relative_time_to_string (wait, GNUNET_YES));
 
   /* If c is NULL, nothing to update. */
@@ -3264,7 +3264,10 @@ GCC_send_prebuilt_message (const struct GNUNET_MessageHeader *message,
   c->pending_messages++;
 
   q = GNUNET_new (struct CadetConnectionQueue);
+  q->cont = cont;
+  q->cont_cls = cont_cls;
   q->forced = force;
+  GNUNET_CONTAINER_DLL_insert (fc->q_head, fc->q_tail, q);
   q->peer_q = GCP_send (get_hop (c, fwd), message,
                         payload_type, payload_id,
                         c, fwd,
@@ -3272,13 +3275,11 @@ GCC_send_prebuilt_message (const struct GNUNET_MessageHeader *message,
   if (NULL == q->peer_q)
   {
     LOG (GNUNET_ERROR_TYPE_DEBUG, "dropping msg on %s, NULL q\n", GCC_2s (c));
+    GNUNET_CONTAINER_DLL_remove (fc->q_head, fc->q_tail, q);
     GNUNET_free (q);
     GCC_check_connections ();
     return NULL;
   }
-  q->cont = cont;
-  q->cont_cls = cont_cls;
-  GNUNET_CONTAINER_DLL_insert (fc->q_head, fc->q_tail, q);
   GCC_check_connections ();
   return q;
 }
diff --git a/src/cadet/gnunet-service-cadet_peer.c b/src/cadet/gnunet-service-cadet_peer.c
index c312d56bf..9835e5d5e 100644
--- a/src/cadet/gnunet-service-cadet_peer.c
+++ b/src/cadet/gnunet-service-cadet_peer.c
@@ -1106,6 +1106,7 @@ call_peer_cont (struct CadetPeerQueue *q, int sent)
                  q->c, q->c_fwd, sent,
                  q->type, q->payload_type, q->payload_id,
                  q->size, wait_time);
+	q->cont = NULL;
     }
     GNUNET_CONTAINER_DLL_remove (q->peer->q_head, q->peer->q_tail, q);
 }
@@ -1191,7 +1192,8 @@ GCP_send (struct CadetPeer *peer,
     q->payload_id = payload_id;
     q->c = c;
     q->c_fwd = fwd;
-    GNUNET_MQ_notify_sent (q->env, mq_sent, q);
+    GNUNET_MQ_notify_sent (q->env, &mq_sent, q);
+    GNUNET_CONTAINER_DLL_insert (peer->q_head, peer->q_tail, q);
 
     if (GNUNET_YES == q->management_traffic)
     {
@@ -1206,6 +1208,7 @@ GCP_send (struct CadetPeer *peer,
                  q->payload_id, GCC_2s (c), GC_f2s (q->c_fwd));
             GNUNET_MQ_discard (q->env);
             call_peer_cont (q, GNUNET_YES);
+	    GNUNET_CONTAINER_DLL_remove (peer->q_head, peer->q_tail, q);
             GNUNET_free (q);
             return NULL;
         }
@@ -1213,7 +1216,6 @@ GCP_send (struct CadetPeer *peer,
         peer->queue_n++;
     }
 
-    GNUNET_CONTAINER_DLL_insert (peer->q_head, peer->q_tail, q);
     GCC_check_connections ();
     return q;
 }
-- 
2.25.1