peer: don't free unclosed connection.

We need to close it first, otherwise use after free in peer_disconnect. Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
9 years ago · 4c136dde98
1 changed files with 8 additions and 1 deletions
--- a/daemon/peer.c
+++ b/daemon/peer.c
@ -163,7 +163,7 @@ static void state_single(struct peer *peer,
 	}

 	/* Break out and free this peer if it's completely done. */
-	if (peer->state == STATE_CLOSED)
+	if (peer->state == STATE_CLOSED && !peer->conn)
 		io_break(peer);
 }

@ -333,7 +333,14 @@ static void peer_disconnect(struct io_conn *conn, struct peer *peer)
 		return;
 	}

+	/* Completely dead?  Free it now. */
+	if (peer->state == STATE_CLOSED) {
+		io_break(peer);
+		return;
+	}
+	
 	/* FIXME: Try to reconnect. */
+	/* This is an expected close. */
 	if (peer->cond == PEER_CLOSED)
 		return;