From 548037bf5264a8a3bbb2139665bb604014568643 Mon Sep 17 00:00:00 2001
From: Garrett D'Amore <garrett@damore.org>
Date: Sun, 22 Jun 2025 18:43:54 -0700
Subject: posix tcp: use after free in listener (need to stop before free)

---
 src/platform/posix/posix_tcplisten.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/platform/posix/posix_tcplisten.c b/src/platform/posix/posix_tcplisten.c
index 508f4d1e..700af4c5 100644
--- a/src/platform/posix/posix_tcplisten.c
+++ b/src/platform/posix/posix_tcplisten.c
@@ -149,7 +149,7 @@ tcp_listener_cb(void *arg, unsigned events)
 	tcp_listener *l = arg;
 
 	nni_mtx_lock(&l->mtx);
-	if ((events & NNI_POLL_INVAL) != 0) {
+	if (((events & NNI_POLL_INVAL) != 0) || (l->closed)) {
 		tcp_listener_doclose(l);
 		nni_mtx_unlock(&l->mtx);
 		return;
@@ -263,6 +263,7 @@ tcp_listener_free(void *arg)
 {
 	tcp_listener *l = arg;
 
+	tcp_listener_stop(l); // should usually already be stopped
 	nni_posix_pfd_fini(&l->pfd);
 	nni_mtx_fini(&l->mtx);
 	NNI_FREE_STRUCT(l);
-- 
cgit v1.2.3-70-g09d2