From 47c24ddbd6d2766797e4c2f3e05a93f0cb45f2cd Mon Sep 17 00:00:00 2001
From: dimitri staessens <dimitri.staessens@ugent.be>
Date: Fri, 31 Mar 2017 22:35:51 +0200
Subject: lib: Fix use-after-free when destroying cdap_req

---
 src/lib/cdap_req.c | 6 +++++-
 src/lib/cdap_req.h | 1 +
 2 files changed, 6 insertions(+), 1 deletion(-)

(limited to 'src')

diff --git a/src/lib/cdap_req.c b/src/lib/cdap_req.c
index df748058..4eab6fa6 100644
--- a/src/lib/cdap_req.c
+++ b/src/lib/cdap_req.c
@@ -76,6 +76,7 @@ void cdap_req_destroy(struct cdap_req * creq)
                 creq->state = REQ_NULL;
                 pthread_cond_broadcast(&creq->cond);
                 break;
+        case REQ_INIT_PENDING:
         case REQ_PENDING:
         case REQ_RESPONSE:
                 creq->state = REQ_DESTROY;
@@ -151,7 +152,10 @@ void cdap_req_respond(struct cdap_req * creq,
 
         pthread_mutex_lock(&creq->lock);
 
-        while (creq->state == REQ_INIT)
+        if (creq->state == REQ_INIT)
+                creq->state = REQ_INIT_PENDING;
+
+        while (creq->state == REQ_INIT_PENDING)
                 pthread_cond_wait(&creq->cond, &creq->lock);
 
         if (creq->state != REQ_PENDING) {
diff --git a/src/lib/cdap_req.h b/src/lib/cdap_req.h
index 648ebc75..b21467f3 100644
--- a/src/lib/cdap_req.h
+++ b/src/lib/cdap_req.h
@@ -36,6 +36,7 @@ typedef cdap_key_t invoke_id_t;
 enum creq_state {
         REQ_NULL = 0,
         REQ_INIT,
+        REQ_INIT_PENDING,
         REQ_PENDING,
         REQ_RESPONSE,
         REQ_DONE,
-- 
cgit v1.2.3