diff options
author | Nick Mathewson <nickm@torproject.org> | 2014-03-18 11:25:58 -0400 |
---|---|---|
committer | Nick Mathewson <nickm@torproject.org> | 2014-03-18 11:27:08 -0400 |
commit | ec99dd82e44ad4b437ca3e4a3fee26b8bc82472c (patch) | |
tree | 03f23d53284046f55dab5d1aedebdcb0f28e1071 /event.c | |
parent | 860c71c892d4aa4ad79e31a1a2d60af9b0850e41 (diff) | |
download | libevent-ec99dd82e44ad4b437ca3e4a3fee26b8bc82472c.tar.gz |
Fix a use-after-free error on EV_CLOSURE_EVENT_FINALIZE callbacks
After running the callback, we were checking evcb->evcb_closure to
decide whether to call mm_free(ev). But the callback itself might
have freed ev, so we need to grab that field first
Found with AddressSanitizer
Diffstat (limited to 'event.c')
-rw-r--r-- | event.c | 3 |
1 files changed, 2 insertions, 1 deletions
@@ -1584,6 +1584,7 @@ event_process_active_single_queue(struct event_base *base, case EV_CLOSURE_EVENT_FINALIZE: case EV_CLOSURE_EVENT_FINALIZE_FREE: { void (*evcb_evfinalize)(struct event *, void *); + int evcb_closure = evcb->evcb_closure; EVUTIL_ASSERT(ev != NULL); base->current_event = NULL; evcb_evfinalize = ev->ev_evcallback.evcb_cb_union.evcb_evfinalize; @@ -1591,7 +1592,7 @@ event_process_active_single_queue(struct event_base *base, EVBASE_RELEASE_LOCK(base, th_base_lock); evcb_evfinalize(ev, ev->ev_arg); event_debug_note_teardown_(ev); - if (evcb->evcb_closure == EV_CLOSURE_EVENT_FINALIZE_FREE) + if (evcb_closure == EV_CLOSURE_EVENT_FINALIZE_FREE) mm_free(ev); } break; |