From 4c136dde985d28505a68b71d4533562301769125 Mon Sep 17 00:00:00 2001
From: Rusty Russell <rusty@rustcorp.com.au>
Date: Mon, 11 Apr 2016 16:29:43 +0930
Subject: [PATCH] peer: don't free unclosed connection.

We need to close it first, otherwise use after free in
peer_disconnect.

Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
---
 daemon/peer.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/daemon/peer.c b/daemon/peer.c
index 552a60667..e4abebef3 100644
--- a/daemon/peer.c
+++ b/daemon/peer.c
@@ -163,7 +163,7 @@ static void state_single(struct peer *peer,
 	}
 
 	/* Break out and free this peer if it's completely done. */
-	if (peer->state == STATE_CLOSED)
+	if (peer->state == STATE_CLOSED && !peer->conn)
 		io_break(peer);
 }
 
@@ -333,7 +333,14 @@ static void peer_disconnect(struct io_conn *conn, struct peer *peer)
 		return;
 	}
 
+	/* Completely dead?  Free it now. */
+	if (peer->state == STATE_CLOSED) {
+		io_break(peer);
+		return;
+	}
+	
 	/* FIXME: Try to reconnect. */
+	/* This is an expected close. */
 	if (peer->cond == PEER_CLOSED)
 		return;