Skip to content
Snippets Groups Projects
Commit b2e56f84 authored by Hugo Lefeuvre's avatar Hugo Lefeuvre Committed by Adrien Béraud
Browse files

fix: heap-use-after-free in eventLoop() 

it points to an element of the servers_ map. When we call
servers_.erase(it), we free this element. Currently this is done
before calling connectedPeers_.erase(it->first.second) and
turnEndpoints_.erase(it->first.second) hence resulting in heap use
after free.

In this patch we change the order of operation so that
servers_.erase(it) is done at the end.

Change-Id: Ie1b87ebc83e39db189ed651690e9e1dce3496b41
parent 73655917
No related branches found
No related tags found
No related merge requests found
Show whitespace changes
Inline Side-by-side
Showing
with 1 addition and 1 deletion
src/ringdht/p2p.cpp
+ 1
1
View file @ b2e56f84
...@@ -646,9 +646,9 @@ DhtPeerConnector::Impl::eventLoop() ...@@ -646,9 +646,9 @@ DhtPeerConnector::Impl::eventLoop()
&& element.second && element.second
&& element.second->hasStreamWithId(id));}); && element.second->hasStreamWithId(id));});
if (it == servers_.end()) break; if (it == servers_.end()) break;
servers_.erase(it);
connectedPeers_.erase(it->first.second); connectedPeers_.erase(it->first.second);
turnEndpoints_.erase(it->first.second); turnEndpoints_.erase(it->first.second);
servers_.erase(it);
} }
break; break;
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment