Skip to content

Commit 3beb926

Browse files
committed
channel_control: fix an use-after-free
As the cmd gets freed on a received error, the node id in which we iterate in `process_check_funding_broadcast` may gets freed while we are using it. Signed-off-by: Antoine Poinsot <[email protected]>
1 parent fd00f70 commit 3beb926

File tree

1 file changed

+8
-4
lines changed

1 file changed

+8
-4
lines changed

lightningd/channel_control.c

Lines changed: 8 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -745,10 +745,10 @@ static void process_check_funding_broadcast(struct bitcoind *bitcoind,
745745
/* Peer could have errored out while we were waiting */
746746
peer = peer_by_id(bitcoind->ld, &cc->peer);
747747
if (!peer)
748-
return;
748+
goto cleanup;
749749
cancel = find_channel_by_id(peer, &cc->cid);
750750
if (!cancel)
751-
return;
751+
goto cleanup;
752752

753753
if (txout != NULL) {
754754
for (size_t i = 0; i < tal_count(cancel->forgets); i++)
@@ -758,20 +758,24 @@ static void process_check_funding_broadcast(struct bitcoind *bitcoind,
758758
"please consider `close` or `dev-fail`! "));
759759
tal_free(cancel->forgets);
760760
cancel->forgets = tal_arr(cancel, struct command *, 0);
761-
return;
761+
goto cleanup;
762762
}
763763

764764
char *error_reason = "Cancel channel by our RPC "
765765
"command before funding "
766766
"transaction broadcast.";
767767
forget_channel(cancel, error_reason);
768+
769+
cleanup:
770+
tal_free(cc);
771+
return;
768772
}
769773

770774
struct command_result *cancel_channel_before_broadcast(struct command *cmd,
771775
struct peer *peer)
772776
{
773777
struct channel *cancel_channel;
774-
struct channel_to_cancel *cc = tal(cmd, struct channel_to_cancel);
778+
struct channel_to_cancel *cc = tal(NULL, struct channel_to_cancel);
775779
struct channel *channel;
776780

777781
cc->peer = peer->id;

0 commit comments

Comments
 (0)