From 17132f03874e1343de5c09d97930e5e1a17f193e Mon Sep 17 00:00:00 2001
From: Luca Boccassi <luca.boccassi@gmail.com>
Date: Thu, 5 May 2016 17:47:16 +0100
Subject: [PATCH] Problem: read-after-free when closing socket

Solution: use socket object's mutex before the send_reap() call that
might deallocate it
---
 src/socket_base.cpp | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/socket_base.cpp b/src/socket_base.cpp
index 4253256e..d3eeb4cb 100644
--- a/src/socket_base.cpp
+++ b/src/socket_base.cpp
@@ -1290,12 +1290,13 @@ int zmq::socket_base_t::close ()
     //  Mark the socket as dead
     tag = 0xdeadbeef;
 
+    EXIT_MUTEX ();
+
     //  Transfer the ownership of the socket from this application thread
     //  to the reaper thread which will take care of the rest of shutdown
     //  process.
     send_reap (this);
 
-    EXIT_MUTEX ();
     return 0;
 }