From 6a2a8aa7806953d221f8818982a30cdcea47a82b Mon Sep 17 00:00:00 2001
From: Garrett D'Amore <garrett@damore.org>
Date: Mon, 27 May 2024 19:21:17 -0700
Subject: Free SP protocol streams before discarding aio objects.

This seems to alleviate the use after free crashes, although it
does not seem like it should.  Current theory is that this closes
the handle ensuring that it is unregistered from the I/O subsystem,
thus preventing callbacks from firing and referring to objects that
have been freed.
---
 src/sp/transport/ipc/ipc.c      | 2 +-
 src/sp/transport/tcp/tcp.c      | 2 +-
 src/sp/transport/tls/tls.c      | 2 +-
 src/sp/transport/ws/websocket.c | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

(limited to 'src/sp')

diff --git a/src/sp/transport/ipc/ipc.c b/src/sp/transport/ipc/ipc.c
index 18972bab..a9aa0113 100644
--- a/src/sp/transport/ipc/ipc.c
+++ b/src/sp/transport/ipc/ipc.c
@@ -150,10 +150,10 @@ ipc_pipe_fini(void *arg)
 		}
 		nni_mtx_unlock(&ep->mtx);
 	}
+	nng_stream_free(p->conn);
 	nni_aio_fini(&p->rx_aio);
 	nni_aio_fini(&p->tx_aio);
 	nni_aio_fini(&p->neg_aio);
-	nng_stream_free(p->conn);
 	if (p->rx_msg) {
 		nni_msg_free(p->rx_msg);
 	}
diff --git a/src/sp/transport/tcp/tcp.c b/src/sp/transport/tcp/tcp.c
index 95881dd9..be2e0345 100644
--- a/src/sp/transport/tcp/tcp.c
+++ b/src/sp/transport/tcp/tcp.c
@@ -153,10 +153,10 @@ tcptran_pipe_fini(void *arg)
 		nni_mtx_unlock(&ep->mtx);
 	}
 
+	nng_stream_free(p->conn);
 	nni_aio_free(p->rxaio);
 	nni_aio_free(p->txaio);
 	nni_aio_free(p->negoaio);
-	nng_stream_free(p->conn);
 	nni_msg_free(p->rxmsg);
 	nni_mtx_fini(&p->mtx);
 	NNI_FREE_STRUCT(p);
diff --git a/src/sp/transport/tls/tls.c b/src/sp/transport/tls/tls.c
index 631d74d7..240b1ed9 100644
--- a/src/sp/transport/tls/tls.c
+++ b/src/sp/transport/tls/tls.c
@@ -153,10 +153,10 @@ tlstran_pipe_fini(void *arg)
 		}
 		nni_mtx_unlock(&ep->mtx);
 	}
+	nng_stream_free(p->tls);
 	nni_aio_free(p->rxaio);
 	nni_aio_free(p->txaio);
 	nni_aio_free(p->negoaio);
-	nng_stream_free(p->tls);
 	nni_msg_free(p->rxmsg);
 	NNI_FREE_STRUCT(p);
 }
diff --git a/src/sp/transport/ws/websocket.c b/src/sp/transport/ws/websocket.c
index 69509e84..3def08d3 100644
--- a/src/sp/transport/ws/websocket.c
+++ b/src/sp/transport/ws/websocket.c
@@ -200,10 +200,10 @@ wstran_pipe_fini(void *arg)
 {
 	ws_pipe *p = arg;
 
+	nng_stream_free(p->ws);
 	nni_aio_free(p->rxaio);
 	nni_aio_free(p->txaio);
 
-	nng_stream_free(p->ws);
 	nni_mtx_fini(&p->mtx);
 	NNI_FREE_STRUCT(p);
 }
-- 
cgit v1.2.3-70-g09d2