From 6defb2b3a0a124bf69d0d31478e42a106614fd87 Mon Sep 17 00:00:00 2001
From: Simon Tatham <anakin@pobox.com>
Date: Mon, 13 Sep 2021 14:18:12 +0100
Subject: [PATCH] fd-socket: fix use after free on socket close.

The call to plug_closing very likely destroys the FdSocket entirely,
so we shouldn't wait until after that to clean up its input fd via
lots of dereferences.
---
 unix/fd-socket.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/unix/fd-socket.c b/unix/fd-socket.c
index 7697d995..6c468e6b 100644
--- a/unix/fd-socket.c
+++ b/unix/fd-socket.c
@@ -260,15 +260,16 @@ static void fdsocket_select_result_input(int fd, int event)
     if (retd > 0) {
         plug_receive(fds->plug, 0, buf, retd);
     } else {
+        del234(fdsocket_by_infd, fds);
+        uxsel_del(fds->infd);
+        close(fds->infd);
+        fds->infd = -1;
+
         if (retd < 0) {
             plug_closing(fds->plug, strerror(errno), errno, 0);
         } else {
             plug_closing(fds->plug, NULL, 0, 0);
         }
-        del234(fdsocket_by_infd, fds);
-        uxsel_del(fds->infd);
-        close(fds->infd);
-        fds->infd = -1;
     }
 }