highperfocused/bitcoin
1
0
Fork 0
mirror of https://github.com/bitcoin/bitcoin.git synced 2026-01-20 07:09:15 +01:00
Code Issues Packages Projects Releases Wiki Activity

net: fix use-after-free with v2->v1 reconnection logic

Browse Source 
CConnman::Stop() resets semOutbound, yet m_reconnections is not
cleared in Stop. Each ReconnectionInfo contains a grant member
that points to the memory that semOutbound pointed to and ~CConnman
will attempt to access the grant field (memory that was already
freed) when destroying m_reconnections. Fix this by calling
m_reconnections.clear() in CConnman::Stop() and add appropriate
annotations.
This commit is contained in:
Eugene Siegel
2025-11-26 15:51:51 -05:00
parent 85d058dc53
commit 167df7a98c
2 changed files with 6 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
src/net.cpp
View File

@@ -3483,6 +3483,8 @@ void CConnman::StopThreads()
void CConnman::StopNodes()
{
AssertLockNotHeld(m_reconnections_mutex);
if (fAddressesInitialized) {
DumpAddresses();
fAddressesInitialized = false;
@@ -3510,6 +3512,7 @@ void CConnman::StopNodes()
DeleteNode(pnode);
}
m_nodes_disconnected.clear();
WITH_LOCK(m_reconnections_mutex, m_reconnections.clear());
vhListenSocket.clear();
semOutbound.reset();
semAddnode.reset();