From 6c660535b215e7cbce210755276716a396878f45 Mon Sep 17 00:00:00 2001
From: Arran Cudbard-Bell <a.cudbardb@freeradius.org>
Date: Sat, 14 Dec 2019 17:40:47 +0700
Subject: [PATCH] Fix TOCTOU like issue in conn_closed caused by the a
 filedescriptor not being removed from the event loop before it's been freed

---
 src/modules/rlm_radius/rlm_radius_udp.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/modules/rlm_radius/rlm_radius_udp.c b/src/modules/rlm_radius/rlm_radius_udp.c
index ef34a435b13f..bf71206539f2 100644
--- a/src/modules/rlm_radius/rlm_radius_udp.c
+++ b/src/modules/rlm_radius/rlm_radius_udp.c
@@ -505,13 +505,15 @@ static void conn_error(UNUSED fr_event_list_t *el, UNUSED int fd, UNUSED int fla
 /** Shutdown/close a file descriptor
  *
  */
-static void _conn_close(UNUSED fr_event_list_t *el, void *h, void *uctx)
+static void _conn_close(fr_event_list_t *el, void *h, void *uctx)
 {
 	int fd = *((int *)h);
 	fr_io_connection_t *c = talloc_get_type_abort(uctx, fr_io_connection_t);
 
 	if (c->idle_ev) fr_event_timer_delete(c->thread->el, &c->idle_ev);
 
+	fr_event_fd_delete(c->el, fd, FR_EVENT_FILTER_IO);
+
 	if (shutdown(fd, SHUT_RDWR) < 0) {
 		DEBUG3("%s - Failed shutting down connection %s: %s",
 		       c->module_name, c->name, fr_syserror(errno));