From b2e56f84fa6605621c3d5f6345b67c86fcbabf7d Mon Sep 17 00:00:00 2001
From: Hugo Lefeuvre <hugo.lefeuvre@savoirfairelinux.com>
Date: Fri, 20 Apr 2018 13:25:53 -0400
Subject: [PATCH] fix: heap-use-after-free in eventLoop()

it points to an element of the servers_ map. When we call
servers_.erase(it), we free this element. Currently this is done
before calling connectedPeers_.erase(it->first.second) and
turnEndpoints_.erase(it->first.second) hence resulting in heap use
after free.

In this patch we change the order of operation so that
servers_.erase(it) is done at the end.

Change-Id: Ie1b87ebc83e39db189ed651690e9e1dce3496b41
---
 src/ringdht/p2p.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/ringdht/p2p.cpp b/src/ringdht/p2p.cpp
index e1f30c5963..5888297ba1 100644
--- a/src/ringdht/p2p.cpp
+++ b/src/ringdht/p2p.cpp
@@ -646,9 +646,9 @@ DhtPeerConnector::Impl::eventLoop()
                                             && element.second
                                             && element.second->hasStreamWithId(id));});
                     if (it == servers_.end()) break;
-                    servers_.erase(it);
                     connectedPeers_.erase(it->first.second);
                     turnEndpoints_.erase(it->first.second);
+                    servers_.erase(it);
                 }
                 break;
 
-- 
GitLab