tal: don't access freed memory on unusual case of redundant tal_free() in destructor.
authorRusty Russell <rusty@rustcorp.com.au>
Thu, 1 Mar 2018 06:25:51 +0000 (16:55 +1030)
committerRusty Russell <rusty@rustcorp.com.au>
Thu, 1 Mar 2018 06:25:51 +0000 (16:55 +1030)
We already handle normal free traversal loops, just not ones caused by a
direct tal_free() call, such a calling tal_free() on one's own parent.

Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
ccan/tal/tal.c

index 177e06f4c71301be66737e298be5c9d51c826afa..0e3c97b390003dfbae3ad82687ce3f35c5d52ce0 100644 (file)
@@ -502,6 +502,8 @@ void *tal_free(const tal_t *ctx)
                struct tal_hdr *t;
                int saved_errno = errno;
                t = debug_tal(to_tal_hdr(ctx));
+               if (unlikely(get_destroying_bit(t->parent_child)))
+                       return NULL;
                if (notifiers)
                        notify(ignore_destroying_bit(t->parent_child)->parent,
                               TAL_NOTIFY_DEL_CHILD, ctx, saved_errno);