From 79aed583c14424dcb737eafcdc5273cc4ed40d75 Mon Sep 17 00:00:00 2001
From: Garrett D'Amore <garrett@damore.org>
Date: Sun, 24 May 2020 16:20:13 -0700
Subject: fixes #1241 SIGSEGV in RepReq's rep0 recv - use after free

This also affects the respondent protocol.  Examination of the other
protocols did not turn up any evidence of the same issue.
---
 src/protocol/reqrep0/rep.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

(limited to 'src/protocol/reqrep0/rep.c')

diff --git a/src/protocol/reqrep0/rep.c b/src/protocol/reqrep0/rep.c
index d0cc0d55..e750ef56 100644
--- a/src/protocol/reqrep0/rep.c
+++ b/src/protocol/reqrep0/rep.c
@@ -59,6 +59,7 @@ struct rep0_pipe {
 	nni_list_node rnode; // receivable list linkage
 	nni_list      sendq; // contexts waiting to send
 	bool          busy;
+	bool          closed;
 };
 
 static void
@@ -331,6 +332,7 @@ rep0_pipe_close(void *arg)
 	nni_aio_close(&p->aio_recv);
 
 	nni_mtx_lock(&s->lk);
+	p->closed = true;
 	if (nni_list_active(&s->recvpipes, p)) {
 		// We are no longer "receivable".
 		nni_list_remove(&s->recvpipes, p);
@@ -530,6 +532,14 @@ rep0_pipe_recv_cb(void *arg)
 
 	nni_mtx_lock(&s->lk);
 
+	if (p->closed) {
+		// If we are closed, then we can't return data.
+		nni_aio_set_msg(&p->aio_recv, NULL);
+		nni_mtx_unlock(&s->lk);
+		nni_msg_free(msg);
+		return;
+	}
+
 	if ((ctx = nni_list_first(&s->recvq)) == NULL) {
 		// No one waiting to receive yet, holding pattern.
 		nni_list_append(&s->recvpipes, p);
-- 
cgit v1.2.3-70-g09d2