jsonrpc: use-after-free bug due to unspecified free behavior 2/2

Using pc after free in the pay_command_destroyed destructor, so we just steal cmd onto pc so free order is the one we want. [ Edit: expanded comment, split commit ] Signed-off-by: Christian Decker <decker.christian@gmail.com>
7 years ago · 3f9ec6c2fa
1 changed files with 5 additions and 0 deletions
--- a/lightningd/pay.c
+++ b/lightningd/pay.c
@ -333,6 +333,11 @@ static void json_sendpay(struct command *cmd,
 	/* Wait until we get response. */
 	tal_add_destructor2(cmd, remove_cmd_from_pc, pc);

+	/* They're both children of ld, but on shutdown make sure we
+	 * destroy the command before the pc, otherwise the
+	 * remove_cmd_from_pc destructor causes a use-after-free */
+	tal_steal(pc, cmd);
+
 	failcode = send_htlc_out(peer, amount, first_hop_data.outgoing_cltv,
 				 &rhash, onion, NULL, pc, &pc->out);
 	if (failcode) {