From b06cfc9b9dcab71878210e7541e7360f51fc72ab Mon Sep 17 00:00:00 2001
From: ulfvonbelow <strilen@tilde.club>
Date: Sun, 29 Jan 2023 06:17:52 -0600
Subject: [PATCH] PEERSTORE: fix write-after-free in
 handle_{iterate_end,watch_record}

One of the tests - I forget which one, didn't write it down at the time -
actually does cause h to be freed in its callback. If this isn't supposed to
be allowed, we should find and fix that test.
---
 src/peerstore/peerstore_api.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/peerstore/peerstore_api.c b/src/peerstore/peerstore_api.c
index b3e793d93..1c13369cf 100644
--- a/src/peerstore/peerstore_api.c
+++ b/src/peerstore/peerstore_api.c
@@ -608,9 +608,10 @@ handle_iterate_end (void *cls, const struct GNUNET_MessageHeader *msg)
   callback_cls = ic->callback_cls;
   ic->iterating = GNUNET_NO;
   GNUNET_PEERSTORE_iterate_cancel (ic);
+  /* NOTE: set this here and not after callback because callback may free h */
+  h->reconnect_delay = GNUNET_TIME_UNIT_ZERO;
   if (NULL != callback)
     callback (callback_cls, NULL, NULL);
-  h->reconnect_delay = GNUNET_TIME_UNIT_ZERO;
 }
 
 
@@ -781,9 +782,9 @@ handle_watch_record (void *cls, const struct StoreRecordMessage *msg)
     disconnect_and_schedule_reconnect (h);
     return;
   }
+  h->reconnect_delay = GNUNET_TIME_UNIT_ZERO;
   if (NULL != wc->callback)
     wc->callback (wc->callback_cls, record, NULL);
-  h->reconnect_delay = GNUNET_TIME_UNIT_ZERO;
   PEERSTORE_destroy_record (record);
 }
 
-- 
2.38.1