lightningd/plugin: fix read-after-free on plugin options

Thanks sanity checks ! :p
ElementsProject · Feb 2, 2020 · 10dfa1f · 10dfa1f
1 parent 95c7e67
commit 10dfa1f
Showing 1 changed file with 9 additions and 3 deletions.
diff --git a/lightningd/plugin.c b/lightningd/plugin.c
@@ -487,7 +487,12 @@ static bool plugin_opt_add(struct plugin *plugin, const char *buffer,
 	popt = tal(plugin, struct plugin_opt);
 	popt->value = talz(popt, struct plugin_opt_value);
 
-	popt->name = tal_fmt(plugin, "--%.*s", nametok->end - nametok->start,
+	/* We allocate the name on top of the global struct, as popt->name will
+	 * be freed if we 'plugin stop' this plugin but it won't be removed from
+	 * the global opt_table !
+	 * We could end up reading after free (e.g. in json_listconfigs).
+	 * FIXME: Cleaner to allow to unregister an option ? */
+	popt->name = tal_fmt(plugin->plugins, "--%.*s", nametok->end - nametok->start,
 			     buffer + nametok->start);
 	if (json_tok_streq(buffer, typetok, "string")) {
 		popt->type = "string";
@@ -524,8 +529,9 @@ static bool plugin_opt_add(struct plugin *plugin, const char *buffer,
 	if (!defaulttok)
 		popt->description = json_strdup(popt, buffer, desctok);
 	list_add_tail(&plugin->plugin_opts, &popt->list);
-	opt_register_arg(popt->name, plugin_opt_set, NULL, popt,
-				popt->description);
+	opt_register_arg(popt->name,
+			 plugin_opt_set, NULL, popt,
+			 popt->description);
 	return true;
 }