From 2503d66ae8cdef9832e096260f83cd81c3fdbfe3 Mon Sep 17 00:00:00 2001
From: nosoop <nosoop@users.noreply.github.com>
Date: Thu, 11 Jul 2019 05:35:11 -0700
Subject: [PATCH] Prevent plugins from freeing active forward handle

This prevents undefined behavior when a plugin deletes the handle to a currently running forward.
---
 core/logic/smn_functions.cpp | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/core/logic/smn_functions.cpp b/core/logic/smn_functions.cpp
index 606b7855bb..d6a5828a4c 100644
--- a/core/logic/smn_functions.cpp
+++ b/core/logic/smn_functions.cpp
@@ -35,6 +35,7 @@
 #include <IForwardSys.h>
 #include <ISourceMod.h>
 #include <amtl/am-autoptr.h>
+#include "AutoHandleRooter.h"
 
 HandleType_t g_GlobalFwdType = 0;
 HandleType_t g_PrivateFwdType = 0;
@@ -43,6 +44,7 @@ static bool s_CallStarted = false;
 static ICallable *s_pCallable = NULL;
 static IPluginFunction *s_pFunction = NULL;
 static IForward *s_pForward = NULL;
+static Handle_t s_ForwardHndl = BAD_HANDLE;
 
 class ForwardNativeHelpers : 
 	public SMGlobalClass,
@@ -102,6 +104,12 @@ inline void ResetCall()
 	s_pFunction = NULL;
 	s_pForward = NULL;
 	s_pCallable = NULL;
+	if (s_ForwardHndl != BAD_HANDLE)
+	{
+		HandleSecurity sec(g_pCoreIdent, g_pCoreIdent);
+		handlesys->FreeHandle(s_ForwardHndl, &sec);
+		s_ForwardHndl = BAD_HANDLE;
+	}
 }
 
 static cell_t sm_GetFunctionByName(IPluginContext *pContext, const cell_t *params)
@@ -363,6 +371,8 @@ static cell_t sm_CallStartForward(IPluginContext *pContext, const cell_t *params
 
 	s_CallStarted = true;
 
+	s_ForwardHndl = handlesys->FastCloneHandle(hndl);
+
 	return 1;
 }
 
@@ -646,6 +656,8 @@ static cell_t sm_CallFinish(IPluginContext *pContext, const cell_t *params)
 
 	pContext->LocalToPhysAddr(params[1], &result);
 
+	AutoHandleRooter ahr(s_ForwardHndl);
+
 	// Note: Execute() swallows exceptions, so this is okay.
 	if (s_pFunction)
 	{