From 167df7a98c8514da6979d45e58fcdcbd0733b8fe Mon Sep 17 00:00:00 2001
From: Eugene Siegel <elzeigel@gmail.com>
Date: Wed, 26 Nov 2025 15:51:51 -0500
Subject: [PATCH] net: fix use-after-free with v2->v1 reconnection logic

CConnman::Stop() resets semOutbound, yet m_reconnections is not
cleared in Stop. Each ReconnectionInfo contains a grant member
that points to the memory that semOutbound pointed to and ~CConnman
will attempt to access the grant field (memory that was already
freed) when destroying m_reconnections. Fix this by calling
m_reconnections.clear() in CConnman::Stop() and add appropriate
annotations.
---
 src/net.cpp | 3 +++
 src/net.h   | 5 +++--
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/src/net.cpp b/src/net.cpp
index d335f2dc526..ef1c63044a8 100644
--- a/src/net.cpp
+++ b/src/net.cpp
@@ -3483,6 +3483,8 @@ void CConnman::StopThreads()
 
 void CConnman::StopNodes()
 {
+    AssertLockNotHeld(m_reconnections_mutex);
+
     if (fAddressesInitialized) {
         DumpAddresses();
         fAddressesInitialized = false;
@@ -3510,6 +3512,7 @@ void CConnman::StopNodes()
         DeleteNode(pnode);
     }
     m_nodes_disconnected.clear();
+    WITH_LOCK(m_reconnections_mutex, m_reconnections.clear());
     vhListenSocket.clear();
     semOutbound.reset();
     semAddnode.reset();
diff --git a/src/net.h b/src/net.h
index 25cb8236a3c..c822afe06d1 100644
--- a/src/net.h
+++ b/src/net.h
@@ -1138,9 +1138,10 @@ public:
     bool Start(CScheduler& scheduler, const Options& options) EXCLUSIVE_LOCKS_REQUIRED(!m_total_bytes_sent_mutex, !m_added_nodes_mutex, !m_addr_fetches_mutex, !mutexMsgProc);
 
     void StopThreads();
-    void StopNodes();
-    void Stop()
+    void StopNodes() EXCLUSIVE_LOCKS_REQUIRED(!m_reconnections_mutex);
+    void Stop() EXCLUSIVE_LOCKS_REQUIRED(!m_reconnections_mutex)
     {
+        AssertLockNotHeld(m_reconnections_mutex);
         StopThreads();
         StopNodes();
     };