lib: Fix use-after-free when destroying cdap_req

2 files changed, 6 insertions, 1 deletions

diff --git a/src/lib/cdap_req.c b/src/lib/cdap_req.c
index df748058..4eab6fa6 100644
--- a/src/lib/cdap_req.c
+++ b/src/lib/cdap_req.c
@@ -76,6 +76,7 @@ void cdap_req_destroy(struct cdap_req * creq)
                 creq->state = REQ_NULL;
                 pthread_cond_broadcast(&creq->cond);
                 break;
+        case REQ_INIT_PENDING:
         case REQ_PENDING:
         case REQ_RESPONSE:
                 creq->state = REQ_DESTROY;
@@ -151,7 +152,10 @@ void cdap_req_respond(struct cdap_req * creq,
 
         pthread_mutex_lock(&creq->lock);
 
-        while (creq->state == REQ_INIT)
+        if (creq->state == REQ_INIT)
+                creq->state = REQ_INIT_PENDING;
+
+        while (creq->state == REQ_INIT_PENDING)
                 pthread_cond_wait(&creq->cond, &creq->lock);
 
         if (creq->state != REQ_PENDING) {
diff --git a/src/lib/cdap_req.h b/src/lib/cdap_req.h
index 648ebc75..b21467f3 100644
--- a/src/lib/cdap_req.h
+++ b/src/lib/cdap_req.h
@@ -36,6 +36,7 @@ typedef cdap_key_t invoke_id_t;
 enum creq_state {
         REQ_NULL = 0,
         REQ_INIT,
+        REQ_INIT_PENDING,
         REQ_PENDING,
         REQ_RESPONSE,
         REQ_DONE,