From 9300a7ebc856356f1d55df16ddfb845773b5daca Mon Sep 17 00:00:00 2001
From: Qu Chen <QuChen88@users.noreply.github.com>
Date: Mon, 11 Nov 2024 01:39:48 -0800
Subject: [PATCH] Set fields to NULL after free in freeClient() (#1279)

Null out several references after freeing the object in `freeClient()`.

This is just to make the code more safe, to protect against
use-after-free for future changes.

Signed-off-by: Qu Chen <quchen@amazon.com>
---
 src/networking.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/src/networking.c b/src/networking.c
index 96dd05d50..1a008a852 100644
--- a/src/networking.c
+++ b/src/networking.c
@@ -1731,6 +1731,7 @@ void freeClient(client *c) {
     /* UNWATCH all the keys */
     unwatchAllKeys(c);
     listRelease(c->watched_keys);
+    c->watched_keys = NULL;
 
     /* Unsubscribe from all the pubsub channels */
     pubsubUnsubscribeAllChannels(c, 0);
@@ -1738,16 +1739,22 @@ void freeClient(client *c) {
     pubsubUnsubscribeAllPatterns(c, 0);
     unmarkClientAsPubSub(c);
     dictRelease(c->pubsub_channels);
+    c->pubsub_channels = NULL;
     dictRelease(c->pubsub_patterns);
+    c->pubsub_patterns = NULL;
     dictRelease(c->pubsubshard_channels);
+    c->pubsubshard_channels = NULL;
 
     /* Free data structures. */
     listRelease(c->reply);
+    c->reply = NULL;
     zfree(c->buf);
+    c->buf = NULL;
     freeReplicaReferencedReplBuffer(c);
     freeClientArgv(c);
     freeClientOriginalArgv(c);
     if (c->deferred_reply_errors) listRelease(c->deferred_reply_errors);
+    c->deferred_reply_errors = NULL;
 #ifdef LOG_REQ_RES
     reqresReset(c, 1);
 #endif