From 9859d8d2969ab28541a91b77a321d9c7265c45fd Mon Sep 17 00:00:00 2001 From: Craig Tiller Date: Tue, 26 Apr 2016 21:07:53 -0700 Subject: Fix use-after-free --- src/core/lib/surface/call.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'src/core') diff --git a/src/core/lib/surface/call.c b/src/core/lib/surface/call.c index f33688beef..3f31e77247 100644 --- a/src/core/lib/surface/call.c +++ b/src/core/lib/surface/call.c @@ -373,7 +373,6 @@ static void destroy_call(grpc_exec_ctx *exec_ctx, void *call, bool success) { if (c->receiving_stream != NULL) { grpc_byte_stream_destroy(exec_ctx, c->receiving_stream); } - GRPC_CHANNEL_INTERNAL_UNREF(exec_ctx, c->channel, "call"); gpr_mu_destroy(&c->mu); for (i = 0; i < STATUS_SOURCE_COUNT; i++) { if (c->status[i].details) { @@ -391,7 +390,9 @@ static void destroy_call(grpc_exec_ctx *exec_ctx, void *call, bool success) { if (c->cq) { GRPC_CQ_INTERNAL_UNREF(c->cq, "bind"); } + grpc_channel *channel = c->channel; grpc_call_stack_destroy(exec_ctx, CALL_STACK_FROM_CALL(c), c); + GRPC_CHANNEL_INTERNAL_UNREF(exec_ctx, channel, "call"); GPR_TIMER_END("destroy_call", 0); } -- cgit v1.2.3