From 4a8ec0c62295394ac4f4cd0959ed458b3632d392 Mon Sep 17 00:00:00 2001 From: Ben Noordhuis Date: Mon, 6 May 2013 11:31:43 +0200 Subject: [PATCH] sunos: handle disabled watcher after callback Fix a potential use-after-free bug where the uv__io watcher struct is referenced after being disabled by its callback function. The stress is on 'potential' because in practice the watcher's memory is not released until the next tick of the event loop. --- src/unix/sunos.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/unix/sunos.c b/src/unix/sunos.c index e134b0a1..2413105c 100644 --- a/src/unix/sunos.c +++ b/src/unix/sunos.c @@ -189,6 +189,9 @@ void uv__io_poll(uv_loop_t* loop, int timeout) { w->cb(loop, w, pe->portev_events); nevents++; + if (w != loop->watchers[fd]) + continue; /* Disabled by callback. */ + /* Events Ports operates in oneshot mode, rearm timer on next run. */ if (w->pevents != 0 && QUEUE_EMPTY(&w->watcher_queue)) QUEUE_INSERT_TAIL(&loop->watcher_queue, &w->watcher_queue);