component: Fix use-after-free

conn_check_prune_socket() was trying to access deleted NiceCandidate instance. Prune the socket before removing the candidate. Closes #73
author: Jakub Adam <jakub.adam@collabora.com> 2019-03-06 11:31:13 +0100
committer: Jakub Adam <jakub.adam@collabora.com> 2019-03-11 12:53:21 +0100
commit: 541801d48c754bc229d622a40d29b7fc7f60bbbc (patch)
tree: c8c9a66e7ac0b79da40da0ad196abe2419c75080
parent: 67807a17ce983a860804d7732aaf7d2fb56150ba (diff)
download: libnice-541801d48c754bc229d622a40d29b7fc7f60bbbc.tar.gz
1 files changed, 6 insertions, 5 deletions
diff --git a/agent/component.c b/agent/component.c
index c66001c..cb1e979 100644
--- a/agent/component.c
+++ b/agent/component.c
@@ -188,10 +188,14 @@ nice_component_remove_socket (NiceAgent *agent, NiceComponent *cmp,
     }
 
     refresh_prune_candidate (agent, candidate);
-    if (candidate->sockptr != nsocket && stream) {
-      discovery_prune_socket (agent, candidate->sockptr);
+    discovery_prune_socket (agent, candidate->sockptr);
+    if (stream) {
       conn_check_prune_socket (agent, stream, cmp,
           candidate->sockptr);
+    }
+
+    /* Keep nsocket alive since it's used in the loop. */
+    if (candidate->sockptr != nsocket) {
       nice_component_detach_socket (cmp, candidate->sockptr);
     }
     agent_remove_local_candidate (agent, candidate);
@@ -201,9 +205,6 @@ nice_component_remove_socket (NiceAgent *agent, NiceComponent *cmp,
     i = next;
   }
 
-  discovery_prune_socket (agent, nsocket);
-  if (stream)
-    conn_check_prune_socket (agent, stream, cmp, nsocket);
   nice_component_detach_socket (cmp, nsocket);
 }
author	Jakub Adam <jakub.adam@collabora.com>	2019-03-06 11:31:13 +0100
committer	Jakub Adam <jakub.adam@collabora.com>	2019-03-11 12:53:21 +0100
commit	541801d48c754bc229d622a40d29b7fc7f60bbbc (patch)
tree	c8c9a66e7ac0b79da40da0ad196abe2419c75080
parent	67807a17ce983a860804d7732aaf7d2fb56150ba (diff)
download	libnice-541801d48c754bc229d622a40d29b7fc7f60bbbc.tar.gz