From e17232f7257875a6f0918ba5d263abb9645b9725 Mon Sep 17 00:00:00 2001
From: Simon Giesecke <simon.giesecke@btc-ag.com>
Date: Fri, 22 Mar 2019 07:19:06 -0400
Subject: [PATCH] Problem: possible use-after-free

Solution: check for failure and do not access any members afterwards
---
 src/stream_engine.cpp | 25 ++++++++++++++++++-------
 src/stream_engine.hpp |  2 ++
 2 files changed, 20 insertions(+), 7 deletions(-)

diff --git a/src/stream_engine.cpp b/src/stream_engine.cpp
index 9043d805..32dd9811 100644
--- a/src/stream_engine.cpp
+++ b/src/stream_engine.cpp
@@ -297,13 +297,20 @@ void zmq::stream_engine_t::terminate ()
 }
 
 void zmq::stream_engine_t::in_event ()
+{
+    // ignore errors
+    const bool res = in_event_internal ();
+    LIBZMQ_UNUSED (res);
+}
+
+bool zmq::stream_engine_t::in_event_internal ()
 {
     zmq_assert (!_io_error);
 
     //  If still handshaking, receive and process the greeting message.
     if (unlikely (_handshaking))
         if (!handshake ())
-            return;
+            return false;
 
     zmq_assert (_decoder);
 
@@ -311,7 +318,7 @@ void zmq::stream_engine_t::in_event ()
     if (_input_stopped) {
         rm_fd (_handle);
         _io_error = true;
-        return;
+        return true; // TODO or return false in this case too?
     }
 
     //  If there's no data to process in the buffer...
@@ -329,12 +336,14 @@ void zmq::stream_engine_t::in_event ()
             // connection closed by peer
             errno = EPIPE;
             error (connection_error);
-            return;
+            return false;
         }
         if (rc == -1) {
-            if (errno != EAGAIN)
+            if (errno != EAGAIN) {
                 error (connection_error);
-            return;
+                return false;
+            }
+            return true;
         }
 
         //  Adjust input size
@@ -363,13 +372,14 @@ void zmq::stream_engine_t::in_event ()
     if (rc == -1) {
         if (errno != EAGAIN) {
             error (protocol_error);
-            return;
+            return false;
         }
         _input_stopped = true;
         reset_pollin (_handle);
     }
 
     _session->flush ();
+    return true;
 }
 
 void zmq::stream_engine_t::out_event ()
@@ -497,7 +507,8 @@ bool zmq::stream_engine_t::restart_input ()
         _session->flush ();
 
         //  Speculative read.
-        in_event ();
+        if (!in_event_internal ())
+            return false;
     }
 
     return true;
diff --git a/src/stream_engine.hpp b/src/stream_engine.hpp
index 391ba8d0..a1e9ce2d 100644
--- a/src/stream_engine.hpp
+++ b/src/stream_engine.hpp
@@ -87,6 +87,8 @@ class stream_engine_t : public io_object_t, public i_engine
     void timer_event (int id_);
 
   private:
+    bool in_event_internal ();
+
     //  Unplug the engine from the session.
     void unplug ();