From ec99dd82e44ad4b437ca3e4a3fee26b8bc82472c Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Tue, 18 Mar 2014 11:25:58 -0400 Subject: [PATCH] Fix a use-after-free error on EV_CLOSURE_EVENT_FINALIZE callbacks After running the callback, we were checking evcb->evcb_closure to decide whether to call mm_free(ev). But the callback itself might have freed ev, so we need to grab that field first Found with AddressSanitizer --- event.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/event.c b/event.c index 0c4b30b6..a5e8d0b1 100644 --- a/event.c +++ b/event.c @@ -1584,6 +1584,7 @@ event_process_active_single_queue(struct event_base *base, case EV_CLOSURE_EVENT_FINALIZE: case EV_CLOSURE_EVENT_FINALIZE_FREE: { void (*evcb_evfinalize)(struct event *, void *); + int evcb_closure = evcb->evcb_closure; EVUTIL_ASSERT(ev != NULL); base->current_event = NULL; evcb_evfinalize = ev->ev_evcallback.evcb_cb_union.evcb_evfinalize; @@ -1591,7 +1592,7 @@ event_process_active_single_queue(struct event_base *base, EVBASE_RELEASE_LOCK(base, th_base_lock); evcb_evfinalize(ev, ev->ev_arg); event_debug_note_teardown_(ev); - if (evcb->evcb_closure == EV_CLOSURE_EVENT_FINALIZE_FREE) + if (evcb_closure == EV_CLOSURE_EVENT_FINALIZE_FREE) mm_free(ev); } break;