From: Rusty Russell <rusty@rustcorp.com.au>
Date: Thu, 1 Mar 2018 06:25:51 +0000 (+1030)
Subject: tal: don't access freed memory on unusual case of redundant tal_free() in destructor.
X-Git-Url: https://git.ozlabs.org/?p=ccan;a=commitdiff_plain;h=41a0af50bf7e9cee7ad5ffdd288647ea2c3a6c38

tal: don't access freed memory on unusual case of redundant tal_free() in destructor.

We already handle normal free traversal loops, just not ones caused by a
direct tal_free() call, such a calling tal_free() on one's own parent.

Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
---

diff --git a/ccan/tal/tal.c b/ccan/tal/tal.c
index 177e06f4..0e3c97b3 100644
--- a/ccan/tal/tal.c
+++ b/ccan/tal/tal.c
@@ -502,6 +502,8 @@ void *tal_free(const tal_t *ctx)
 		struct tal_hdr *t;
 		int saved_errno = errno;
 		t = debug_tal(to_tal_hdr(ctx));
+		if (unlikely(get_destroying_bit(t->parent_child)))
+			return NULL;
 		if (notifiers)
 			notify(ignore_destroying_bit(t->parent_child)->parent,
 			       TAL_NOTIFY_DEL_CHILD, ctx, saved_errno);