From 8979127a06fdc2b5b8469eda9afb13fdfb83e3be Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Henrik=20Grubbstr=C3=B6m=20=28Grubba=29?=
 <grubba@grubba.org>
Date: Fri, 9 May 2014 12:38:57 +0200
Subject: [PATCH] Backend: Fixed potential double free on exit.

The code that freed registered fd boxes on termination of a backend
did not invalidate the reference, this may have caused a reference
underflow for fds that still were registered in the now dead backend.

We now use the proper unhook code to de-register the fd boxes.
---
 src/backend.cmod | 12 ++----------
 1 file changed, 2 insertions(+), 10 deletions(-)

diff --git a/src/backend.cmod b/src/backend.cmod
index 56e10ca98a..1cc2d861f8 100644
--- a/src/backend.cmod
+++ b/src/backend.cmod
@@ -2391,11 +2391,7 @@ PIKECLASS Backend
 	  really_free_compat_cb_box ((struct compat_cb_box *) box);
 	}
 
-	if (box->backend) {
-	  box->backend = NULL;
-	  if (box->ref_obj && box->events)
-	    free_object (box->ref_obj);
-	}
+	unhook_fd_callback_box(box);
       }
 
       free(me->fd_boxes);
@@ -2411,11 +2407,7 @@ PIKECLASS Backend
 	  Pike_fatal ("Got inactive callback in compat interface.\n");
 #endif
 
-	if (box->backend) {
-	  box->backend = NULL;
-	  if (box->ref_obj && box->events)
-	    free_object (box->ref_obj);
-	}
+	unhook_fd_callback_box(box);
       }
 
       free(me->inactive_boxes);
-- 
GitLab