channel_control: fix an use-after-free

As the cmd gets freed on a received error, the node id in which we iterate in `process_check_funding_broadcast`
may gets freed while we are using it.

Signed-off-by: Antoine Poinsot <[email protected]>

Author: darosior

lightningd/channel_control.c

@@ -745,10 +745,10 @@ static void process_check_funding_broadcast(struct bitcoind *bitcoind,
 	/* Peer could have errored out while we were waiting */
 	peer = peer_by_id(bitcoind->ld, &cc->peer);
 	if (!peer)
-		return;
+		goto cleanup;
 	cancel = find_channel_by_id(peer, &cc->cid);
 	if (!cancel)
-		return;
+		goto cleanup;
 
 	if (txout != NULL) {
 		for (size_t i = 0; i < tal_count(cancel->forgets); i++)
@@ -758,20 +758,24 @@ static void process_check_funding_broadcast(struct bitcoind *bitcoind,
 				    "please consider `close` or `dev-fail`! "));
 		tal_free(cancel->forgets);
 		cancel->forgets = tal_arr(cancel, struct command *, 0);
-		return;
+		goto cleanup;
 	}
 
 	char *error_reason = "Cancel channel by our RPC "
 			     "command before funding "
 			     "transaction broadcast.";
 	forget_channel(cancel, error_reason);
+
+cleanup:
+	tal_free(cc);
+	return;
 }
 
 struct command_result *cancel_channel_before_broadcast(struct command *cmd,
 						       struct peer *peer)
 {
 	struct channel *cancel_channel;
-	struct channel_to_cancel *cc = tal(cmd, struct channel_to_cancel);
+	struct channel_to_cancel *cc = tal(NULL, struct channel_to_cancel);
 	struct channel *channel;
 
 	cc->peer = peer->id;