From 3f9ec6c2fa3c8f0f24afe9c8671b18f7255559ff Mon Sep 17 00:00:00 2001
From: Rusty Russell <rusty@rustcorp.com.au>
Date: Thu, 28 Sep 2017 13:01:47 +0930
Subject: [PATCH] jsonrpc: use-after-free bug due to unspecified free behavior
 2/2

Using pc after free in the pay_command_destroyed destructor, so
we just steal cmd onto pc so free order is the one we want.

[ Edit: expanded comment, split commit ]
Signed-off-by: Christian Decker <decker.christian@gmail.com>
---
 lightningd/pay.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/lightningd/pay.c b/lightningd/pay.c
index 0f845d6a7..3c4039794 100644
--- a/lightningd/pay.c
+++ b/lightningd/pay.c
@@ -333,6 +333,11 @@ static void json_sendpay(struct command *cmd,
 	/* Wait until we get response. */
 	tal_add_destructor2(cmd, remove_cmd_from_pc, pc);
 
+	/* They're both children of ld, but on shutdown make sure we
+	 * destroy the command before the pc, otherwise the
+	 * remove_cmd_from_pc destructor causes a use-after-free */
+	tal_steal(pc, cmd);
+
 	failcode = send_htlc_out(peer, amount, first_hop_data.outgoing_cltv,
 				 &rhash, onion, NULL, pc, &pc->out);
 	if (failcode) {