From 161a7f1e1c971b663ddb28eac6a8c4ab46588387 Mon Sep 17 00:00:00 2001
From: Geddy <guandichao@163.com>
Date: Thu, 29 Feb 2024 06:32:43 +0800
Subject: [PATCH] udp,unix: fix sendmsg use-after-free (#4321)

Issue:
1. uv__io_poll calls uv__udp_io with revents == POLLIN + POLLOUT
2. uv__udp_io calls your recv_cb
3. you close the handle in callback
4. uv__udp_io calls uv__udp_sendmsg
5. uv__udp_sendmsg calls uv__io_feed
6. kaboom!
---
 src/unix/udp.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/unix/udp.c b/src/unix/udp.c
index c2814512a5f..5dcd5a4da7d 100644
--- a/src/unix/udp.c
+++ b/src/unix/udp.c
@@ -141,7 +141,7 @@ static void uv__udp_io(uv_loop_t* loop, uv__io_t* w, unsigned int revents) {
   if (revents & POLLIN)
     uv__udp_recvmsg(handle);
 
-  if (revents & POLLOUT) {
+  if (revents & POLLOUT && !uv__is_closing(handle)) {
     uv__udp_sendmsg(handle);
     uv__udp_run_completed(handle);
   }