From f8c30d022982d089fb90543c0cd5628b161d065d Mon Sep 17 00:00:00 2001
From: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
Date: Wed, 12 Aug 2015 21:14:18 +0900
Subject: [PATCH] nghttpx: Fix heap-use-after-free

---
 src/shrpx_connection.cc | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/src/shrpx_connection.cc b/src/shrpx_connection.cc
index d9597901..c7c52722 100644
--- a/src/shrpx_connection.cc
+++ b/src/shrpx_connection.cc
@@ -77,12 +77,6 @@ Connection::~Connection() {
 }
 
 void Connection::disconnect() {
-  ev_timer_stop(loop, &rt);
-  ev_timer_stop(loop, &wt);
-
-  rlimit.stopw();
-  wlimit.stopw();
-
   if (tls.ssl) {
     SSL_set_shutdown(tls.ssl, SSL_RECEIVED_SHUTDOWN);
     ERR_clear_error();
@@ -110,6 +104,14 @@ void Connection::disconnect() {
     close(fd);
     fd = -1;
   }
+
+  // Stop watchers here because they could be activated in
+  // SSL_shutdown().
+  ev_timer_stop(loop, &rt);
+  ev_timer_stop(loop, &wt);
+
+  rlimit.stopw();
+  wlimit.stopw();
 }
 
 namespace {