From 00612f5e19582db782832c69d093049c5f75dd9b Mon Sep 17 00:00:00 2001 From: Christian Grothoff Date: Fri, 1 Jan 2016 20:52:56 +0100 Subject: [PATCH] fix use-after-free on NULLing CB field if CB itself destroyed our context already --- src/mint-lib/mint_api_handle.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/src/mint-lib/mint_api_handle.c b/src/mint-lib/mint_api_handle.c index a7f779229..49960cb10 100644 --- a/src/mint-lib/mint_api_handle.c +++ b/src/mint-lib/mint_api_handle.c @@ -603,6 +603,7 @@ keys_completed_cb (void *cls, struct TALER_MINT_Handle *mint = kr->mint; json_t *resp_obj; long response_code; + TALER_MINT_CertificationCallback cb; resp_obj = MAC_download_get_result (&kr->db, eh, @@ -638,11 +639,11 @@ keys_completed_cb (void *cls, free_keys_request (kr); mint->state = MHS_FAILED; /* notify application that we failed */ - if (NULL != mint->cert_cb) + if (NULL != (cb = mint->cert_cb)) { - mint->cert_cb (mint->cert_cb_cls, - NULL); mint->cert_cb = NULL; + cb (mint->cert_cb_cls, + NULL); } return; } @@ -650,11 +651,11 @@ keys_completed_cb (void *cls, free_keys_request (kr); mint->state = MHS_CERT; /* notify application about the key information */ - if (NULL != mint->cert_cb) + if (NULL != (cb = mint->cert_cb)) { - mint->cert_cb (mint->cert_cb_cls, - &mint->key_data); mint->cert_cb = NULL; + cb (mint->cert_cb_cls, + &mint->key_data); } }