From 316c8f420d8701534d048c2ac2dbf0fb3ec6bed8 Mon Sep 17 00:00:00 2001 From: Antoine Poinsot Date: Mon, 7 Sep 2020 18:40:35 +0200 Subject: [PATCH 1/2] tools: remove headerversions.o on clean Signed-off-by: Antoine Poinsot --- tools/Makefile | 1 + 1 file changed, 1 insertion(+) diff --git a/tools/Makefile b/tools/Makefile index 09bf5d30d011..a863f817cdd3 100644 --- a/tools/Makefile +++ b/tools/Makefile @@ -26,5 +26,6 @@ clean: tools-clean tools-clean: $(RM) tools/headerversions + $(RM) tools/headerversions.o include tools/test/Makefile From 00f2d2a88649e8c5b176bd79f548eddb8846a3d8 Mon Sep 17 00:00:00 2001 From: Antoine Poinsot Date: Tue, 8 Sep 2020 11:39:52 +0200 Subject: [PATCH 2/2] channel_control: fix an use-after-free As the cmd gets freed on a received error, the node id in which we iterate in `process_check_funding_broadcast` may gets freed while we are using it. Signed-off-by: Antoine Poinsot --- lightningd/channel_control.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/lightningd/channel_control.c b/lightningd/channel_control.c index c74f42c08cbf..aa0fadf990c4 100644 --- a/lightningd/channel_control.c +++ b/lightningd/channel_control.c @@ -735,10 +735,10 @@ static void process_check_funding_broadcast(struct bitcoind *bitcoind, /* Peer could have errored out while we were waiting */ peer = peer_by_id(bitcoind->ld, &cc->peer); if (!peer) - return; + goto cleanup; cancel = find_channel_by_id(peer, &cc->cid); if (!cancel) - return; + goto cleanup; if (txout != NULL) { for (size_t i = 0; i < tal_count(cancel->forgets); i++) @@ -748,13 +748,17 @@ static void process_check_funding_broadcast(struct bitcoind *bitcoind, "please consider `close` or `dev-fail`! ")); tal_free(cancel->forgets); cancel->forgets = tal_arr(cancel, struct command *, 0); - return; + goto cleanup; } char *error_reason = "Cancel channel by our RPC " "command before funding " "transaction broadcast."; forget_channel(cancel, error_reason); + +cleanup: + tal_free(cc); + return; } struct command_result *cancel_channel_before_broadcast(struct command *cmd, @@ -823,7 +827,7 @@ struct command_result *cancel_channel_before_broadcast(struct command *cmd, &cancel_channel->funding_txid, cancel_channel->funding_outnum, process_check_funding_broadcast, - notleak(cc)); + notleak(tal_steal(NULL, cc))); return command_still_pending(cmd); }