From c83c7948602acfb5fd0716ac6a47e0c9c9f9bfd8 Mon Sep 17 00:00:00 2001
From: Guus Sliepen <guus@meshlink.io>
Date: Tue, 26 Jun 2018 14:20:17 +0200
Subject: [PATCH] Fix a potential segfault when closing a meshlink handle.

Freeing the UTCP instance of a node would result in meshlink_send() being
called on a node that was already partially freed.
---
 src/meshlink.c | 5 +++++
 src/node.c     | 4 ++--
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/src/meshlink.c b/src/meshlink.c
index 4ff26ac1..24d4c249 100644
--- a/src/meshlink.c
+++ b/src/meshlink.c
@@ -2396,6 +2396,11 @@ static void channel_accept(struct utcp_connection *utcp_connection, uint16_t por
 
 static ssize_t channel_send(struct utcp *utcp, const void *data, size_t len) {
 	node_t *n = utcp->priv;
+
+	if(n->status.destroyed) {
+		return -1;
+	}
+
 	meshlink_handle_t *mesh = n->mesh;
 	return meshlink_send(mesh, (meshlink_node_t *)n, data, len) ? (ssize_t)len : -1;
 }
diff --git a/src/node.c b/src/node.c
index dec86f88..4f4f5999 100644
--- a/src/node.c
+++ b/src/node.c
@@ -65,6 +65,8 @@ node_t *new_node(void) {
 void free_node(node_t *n) {
 	n->status.destroyed = true;
 
+	utcp_exit(n->utcp);
+
 	if(n->edge_tree) {
 		free_edge_tree(n->edge_tree);
 	}
@@ -80,8 +82,6 @@ void free_node(node_t *n) {
 
 	free(n->name);
 
-	utcp_exit(n->utcp);
-
 	free(n);
 }
 
-- 
2.39.2