From 44ada6ae69bc7e49d374bba8f682a6dfeaa07ef6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Anton=20Luka=20=C5=A0ijanec?= <anton@sijanec.eu>
Date: Sat, 11 Mar 2023 16:30:32 +0100
Subject: use after free fix

---
 src/bencoding.c |  8 ++++++--
 src/dht.c       | 10 +++++-----
 2 files changed, 11 insertions(+), 7 deletions(-)

diff --git a/src/bencoding.c b/src/bencoding.c
index 6e8a2a2..991ac9c 100644
--- a/src/bencoding.c
+++ b/src/bencoding.c
@@ -453,13 +453,17 @@ struct bencoding * bdecode_safe (const char * s, int len, enum benc opts, unsign
 				b->intvalue = strtol(s+1, &ch, 10);
 				b->valuelen = ch-(s+1);
 				b->value = malloc(b->valuelen+1);
-				if (!b->value)
+				if (!b->value) {
+					free(b);
 					return NULL;
+				}
 				strncpy(b->value, s+1, b->valuelen);
 				b->value[b->valuelen] = '\0';
 				b->after = s+2+b->valuelen;
-			} else
+			} else {
+				free(b);
 				return NULL;
+			}
 			break;
 		case 'd': /* dict */
 			b->type = dict;
diff --git a/src/dht.c b/src/dht.c
index ba87fb7..8a5c107 100644
--- a/src/dht.c
+++ b/src/dht.c
@@ -1330,10 +1330,10 @@ void oom (struct dht * d) {
 		while (drop && (drop->type || drop->dl))
 			drop = drop->prev;
 		struct torrent * old = drop;
-		remove_torrent(d, old);
 		if (!drop)
 			break;
 		drop = drop->prev;
+		remove_torrent(d, old);
 	}
 }
 
@@ -2306,7 +2306,7 @@ void periodic (struct dht * d) {
 				c = rand() % c;
 			while (n && c--)
 				n = n->next;
-			if (n && sent < 3) { // we pick some consecutive at random and ping them.
+			while (n && sent < 3) { // we pick some consecutive at random and ping them.
 				sent++;	// increase to more than this if desired ... idk this is shit
 				if (!n->unanswered)
 					n->last_sent = seconds();
@@ -2316,7 +2316,7 @@ void periodic (struct dht * d) {
 				if (!n && !t->nodes->unanswered) // if unanswered, we already sent it
 					n = t->nodes;
 			}
-			if (sent < 2) {
+			while (sent < 2) {
 #define RTGP(buckets)		{struct bucket * b = d->buckets; \
 				find(t->hash, &b, NULL); \
 				struct node * n = b->nodes; \
@@ -2335,7 +2335,7 @@ void periodic (struct dht * d) {
 				RTGP(buckets);
 				RTGP(buckets6);
 			}
-			if (sent < 1) {
+			while (sent < 1) {
 				struct bucket * b = d->buckets;
 				while (sent < 1 && b) {
 					n = b->nodes;
@@ -2344,7 +2344,7 @@ void periodic (struct dht * d) {
 						c = rand() % c;
 					while (n && c--)
 						n = n->next;
-					if (sent < 1 && n) {
+					while (sent < 1 && n) {
 						sent++;
 						if (!n->unanswered)
 							n->last_sent = seconds();
-- 
cgit v1.2.3