From f82096d39f21f30ac11fcf1c65a5b25e85691eae Mon Sep 17 00:00:00 2001
From: Evgeny Ermakov <22344340+unspecd@users.noreply.github.com>
Date: Sun, 3 Jan 2021 17:34:04 -0500
Subject: fixes #1393 Use after free in http (#1395)

---
 src/supplemental/http/http_server.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/src/supplemental/http/http_server.c b/src/supplemental/http/http_server.c
index 1ebc8907..7f6f9abe 100644
--- a/src/supplemental/http/http_server.c
+++ b/src/supplemental/http/http_server.c
@@ -751,14 +751,16 @@ finish:
 	nni_aio_set_input(sc->cbaio, 1, h);
 	nni_aio_set_input(sc->cbaio, 2, sc->conn);
 
+	// Set a reference -- this because the callback may be running
+	// asynchronously even after it gets removed from the server.
+	nni_atomic_inc64(&h->ref);
+
 	// Documented that we call this on behalf of the callback.
 	if (nni_aio_begin(sc->cbaio) != 0) {
 		nni_mtx_unlock(&s->mtx);
 		return;
 	}
-	// Set a reference -- this because the callback may be running
-	// asynchronously even after it gets removed from the server.
-	nni_atomic_inc64(&h->ref);
+
 	nni_mtx_unlock(&s->mtx);
 	h->cb(sc->cbaio);
 }
-- 
cgit v1.2.3-70-g09d2