channel.c: Fix for heap-use-after-free

ASAN detected this heap-use-after-free.
A job started by channel_from_job() could terminate and result in a call
to free_channel(), while channel_send_call() was still active/pending
and accessing Channel elements.

Original patch by @tarruda.

1 files changed, 7 insertions, 1 deletions

diff --git a/src/nvim/msgpack_rpc/channel.c b/src/nvim/msgpack_rpc/channel.c
index 760f150b19..b6ac3fab82 100644
--- a/src/nvim/msgpack_rpc/channel.c
+++ b/src/nvim/msgpack_rpc/channel.c
@@ -348,7 +348,13 @@ static void job_err(RStream *rstream, void *data, bool eof)
 
 static void job_exit(Job *job, void *data)
 {
-  free_channel((Channel *)data);
+  Channel *channel = data;
+  // ensure the channel is flagged as closed so channel_send_call frees it
+  // later
+  channel->closed = true;
+  if (!kv_size(channel->call_stack)) {
+    free_channel(channel);
+  }
 }
 
 static void parse_msgpack(RStream *rstream, void *data, bool eof)