Fix possible use after free

2 files changed, 7 insertions, 4 deletions

diff --git a/src/core/message.c b/src/core/message.c
index 00b23a55..f046feb4 100644
--- a/src/core/message.c
+++ b/src/core/message.c
@@ -490,6 +490,7 @@ nni_msg_alloc(nni_msg **mp, size_t sz)
 	if (rv != 0) {
 		nni_chunk_free(&m->m_header);
 		NNI_FREE_STRUCT(m);
+		return (rv);
 	}
 	if ((rv = nni_chunk_append(&m->m_body, NULL, sz)) != 0) {
 		// Should not happen since we just grew it to fit.
diff --git a/src/platform/posix/posix_resolv_gai.c b/src/platform/posix/posix_resolv_gai.c
index a89c4623..5cec0570 100644
--- a/src/platform/posix/posix_resolv_gai.c
+++ b/src/platform/posix/posix_resolv_gai.c
@@ -257,13 +257,15 @@ resolv_ip(const char *host, const char *serv, int passive, int family,
 	// NB: must remain valid until this is completed.  So we have to
 	// keep our own copy.
 
-	if (host == NULL) {
-		item->name = NULL;
-
-	} else if (nni_strnlen(host, sizeof(item->name_buf)) >=
+	if (host != NULL && nni_strnlen(host, sizeof(item->name_buf)) >=
 	    sizeof(item->name_buf)) {
 		NNI_FREE_STRUCT(item);
 		nni_aio_finish_error(aio, NNG_EADDRINVAL);
+		return;
+	}
+
+	if (host == NULL) {
+		item->name = NULL;
 	} else {
 		nni_strlcpy(item->name_buf, host, sizeof(item->name_buf));
 		item->name = item->name_buf;