From 2edc14a193883bacd70ccccbb84c5149fea77a99 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?M=C3=A9sz=C3=A1ros=20Mih=C3=A1ly?= <misi@majd.eu>
Date: Thu, 7 Jan 2021 21:38:43 +0000
Subject: [PATCH] Fixes #601

---
 ChangeLog                   | 2 ++
 src/server/ns_turn_server.c | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index 75b94b2c..2fe5f586 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -38,6 +38,8 @@ Version 4.5.2 'dan Eider':
 		* Fix: Null pointer dereference on tcp_client_input_handler_rfc6062data function
 	- Fix Issue #600 (by ycaibb)
 		* Fix: use-after-free vulnerability on write_to_peerchannel function
+	- Fix Issue #601 (by ycaibb)
+		* Fix: use-after-free vulnerability on write_client_connection function
 
 24/06/2020 Oleg Moskalenko <mom040267@gmail.com> Mihály Mészáros <misi@majd.eu>
 Version 4.5.1.3 'dan Eider':
diff --git a/src/server/ns_turn_server.c b/src/server/ns_turn_server.c
index c8c92656..3d264ada 100644
--- a/src/server/ns_turn_server.c
+++ b/src/server/ns_turn_server.c
@@ -4293,7 +4293,7 @@ static int write_client_connection(turn_turnserver *server, ts_ur_super_session*
 		int skip = 0;
 		int ret = send_data_from_ioa_socket_nbh(ss->client_socket, NULL, nbh, ttl, tos, &skip);
 
-		if(!skip) {
+		if(!skip && ret>-1) {
 			++(ss->sent_packets);
 			ss->sent_bytes += (uint32_t)ioa_network_buffer_get_size(nbh);
 			turn_report_session_usage(ss, 0);