Fix a use-after-free error on EV_CLOSURE_EVENT_FINALIZE callbacks

After running the callback, we were checking evcb->evcb_closure to decide whether to call mm_free(ev). But the callback itself might have freed ev, so we need to grab that field first Found with AddressSanitizer
author: Nick Mathewson <nickm@torproject.org> 2014-03-18 11:25:58 -0400
committer: Nick Mathewson <nickm@torproject.org> 2014-03-18 11:27:08 -0400
commit: ec99dd82e44ad4b437ca3e4a3fee26b8bc82472c (patch)
tree: 03f23d53284046f55dab5d1aedebdcb0f28e1071 /event.c
parent: 860c71c892d4aa4ad79e31a1a2d60af9b0850e41 (diff)
download: libevent-ec99dd82e44ad4b437ca3e4a3fee26b8bc82472c.tar.gz
1 files changed, 2 insertions, 1 deletions
diff --git a/event.c b/event.c
index 0c4b30b6..a5e8d0b1 100644
--- a/event.c
+++ b/event.c
@@ -1584,6 +1584,7 @@ event_process_active_single_queue(struct event_base *base,
 		case EV_CLOSURE_EVENT_FINALIZE:
 		case EV_CLOSURE_EVENT_FINALIZE_FREE: {
 			void (*evcb_evfinalize)(struct event *, void *);
+			int evcb_closure = evcb->evcb_closure;
 			EVUTIL_ASSERT(ev != NULL);
 			base->current_event = NULL;
 			evcb_evfinalize = ev->ev_evcallback.evcb_cb_union.evcb_evfinalize;
@@ -1591,7 +1592,7 @@ event_process_active_single_queue(struct event_base *base,
 			EVBASE_RELEASE_LOCK(base, th_base_lock);
 			evcb_evfinalize(ev, ev->ev_arg);
 			event_debug_note_teardown_(ev);
-			if (evcb->evcb_closure == EV_CLOSURE_EVENT_FINALIZE_FREE)
+			if (evcb_closure == EV_CLOSURE_EVENT_FINALIZE_FREE)
 				mm_free(ev);
 		}
 		break;
author	Nick Mathewson <nickm@torproject.org>	2014-03-18 11:25:58 -0400
committer	Nick Mathewson <nickm@torproject.org>	2014-03-18 11:27:08 -0400
commit	ec99dd82e44ad4b437ca3e4a3fee26b8bc82472c (patch)
tree	03f23d53284046f55dab5d1aedebdcb0f28e1071 /event.c
parent	860c71c892d4aa4ad79e31a1a2d60af9b0850e41 (diff)
download	libevent-ec99dd82e44ad4b437ca3e4a3fee26b8bc82472c.tar.gz