Fixes #600

ChangeLog

@@ -36,6 +36,8 @@ Version 4.5.2 'dan Eider':
 	- Add systemd notification for better systemd integration
 	- Fix Issue #621 (by ycaibb)
 		* Fix: Null pointer dereference on tcp_client_input_handler_rfc6062data function
+	- Fix Issue #600 (by ycaibb)
+		* Fix: use-after-free vulnerability on write_to_peerchannel function
 
 24/06/2020 Oleg Moskalenko <[email protected]> Mihály Mészáros <[email protected]>
 Version 4.5.1.3 'dan Eider':

src/server/ns_turn_server.c

@@ -4134,7 +4134,7 @@ static int write_to_peerchannel(ts_ur_super_session* ss, uint16_t chnum, ioa_net
 			int skip = 0;
 			rc = send_data_from_ioa_socket_nbh(get_relay_socket_ss(ss, chn->peer_addr.ss.sa_family), &(chn->peer_addr), nbh, in_buffer->recv_ttl-1, in_buffer->recv_tos, &skip);
 
-			if (!skip) {
+			if (!skip && rc > -1) {
 				++(ss->peer_sent_packets);
 				ss->peer_sent_bytes += (uint32_t)ioa_network_buffer_get_size(in_buffer->nbh);
 				turn_report_session_usage(ss, 0);