v4.0.5: bug fix: use-after-free in Scheduler::execute() when a callback destroys

Author: arkhipenko

.github/workflows/test.yml

@@ -521,3 +521,86 @@ jobs:
         run: |
           echo "=== Running Thread-Safe Tests ==="
           ./test_thread_safe
+
+  test-uaf-regression:
+    name: UAF Regression Tests (iNextExecute fix)
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install dependencies
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y cmake build-essential libgtest-dev pkg-config
+
+      - name: Build and install Google Test
+        run: |
+          cd /usr/src/gtest
+          sudo cmake .
+          sudo cmake --build . --target all
+          sudo cp lib/*.a /usr/lib || sudo cp *.a /usr/lib
+
+      - name: Create CMakeLists.txt for UAF Regression Tests
+        run: |
+          cat > CMakeLists.txt << 'EOF'
+          cmake_minimum_required(VERSION 3.10)
+          project(TaskSchedulerUafRegressionTests VERSION 1.0.0)
+
+          set(CMAKE_CXX_STANDARD 14)
+          set(CMAKE_CXX_STANDARD_REQUIRED ON)
+
+          # Find required packages
+          find_package(PkgConfig REQUIRED)
+          find_package(Threads REQUIRED)
+
+          # Include directories
+          include_directories(${CMAKE_SOURCE_DIR}/src)
+          include_directories(${CMAKE_SOURCE_DIR}/tests)
+
+          # Gather source files
+          file(GLOB TASKSCHEDULER_SOURCES
+              "${CMAKE_SOURCE_DIR}/src/*.cpp"
+              "${CMAKE_SOURCE_DIR}/src/*.c"
+          )
+
+          # Create the UAF regression test executable
+          add_executable(test_uaf_regression
+              tests/test-scheduler-uaf-regression.cpp
+              ${TASKSCHEDULER_SOURCES}
+          )
+
+          # Link libraries
+          target_link_libraries(test_uaf_regression
+              gtest
+              gtest_main
+              pthread
+          )
+
+          # Compiler definitions for Arduino compatibility
+          target_compile_definitions(test_uaf_regression PRIVATE
+              ARDUINO=300
+          )
+
+          # Compiler flags
+          target_compile_options(test_uaf_regression PRIVATE
+              -Wall
+              -Wextra
+              -O2
+          )
+
+          # Enable testing
+          enable_testing()
+          add_test(NAME UafRegressionTests COMMAND test_uaf_regression)
+          EOF
+
+      - name: Build UAF regression tests
+        run: |
+          cmake .
+          make -j$(nproc)
+
+      - name: Run UAF regression tests
+        run: |
+          echo "=== Running UAF Regression Tests ==="
+          ./test_uaf_regression

README.md

@@ -1,6 +1,6 @@
 # Task Scheduler
 ### Cooperative multitasking for Arduino, ESPx, STM32 and other microcontrollers
-#### Version 4.0.4: 2026-01-16 [Latest updates](https://github.com/arkhipenko/TaskScheduler/wiki/Latest-Updates)
+#### Version 4.0.5: 2026-04-16 [Latest updates](https://github.com/arkhipenko/TaskScheduler/wiki/Latest-Updates)
 
 [![arduino-library-badge](https://www.ardu-badge.com/badge/TaskScheduler.svg?)](https://www.ardu-badge.com/TaskScheduler)
 

TaskScheduler.code-workspace

@@ -0,0 +1,8 @@
+{
+	"folders": [
+		{
+			"path": "."
+		}
+	],
+	"settings": {}
+}

library.json

@@ -16,7 +16,7 @@
       "maintainer": true
     }
   ],
-  "version": "4.0.4",
+  "version": "4.0.5",
   "frameworks": "arduino",
   "platforms": "*"
 }

library.properties

@@ -1,5 +1,5 @@
 name=TaskScheduler
-version=4.0.4
+version=4.0.5
 author=Anatoli Arkhipenko <arkhipenko@hotmail.com>
 maintainer=Anatoli Arkhipenko <arkhipenko@hotmail.com>
 sentence=Cooperative multitasking for Arduino, ESPx, STM32 and other microcontrollers.

src/TaskScheduler.h

@@ -1,6 +1,6 @@
 /*
 Cooperative multitasking library for Arduino
-Copyright (c) 2015-2025 Anatoli Arkhipenko
+Copyright (c) 2015-2026 Anatoli Arkhipenko
 
 Changelog:
 v1.0.0:
@@ -307,6 +307,13 @@ v4.0.3:
 v4.0.4:
     2025-11-15:
         - bug: set callbacks should not be available for _TASK_OO_CALLBACKS mode
+
+v4.0.5:
+    2026-04-16:
+        - bug fix: use-after-free in Scheduler::execute() when a callback destroys
+          the next task in the chain (e.g. painlessMesh BufferedConnection teardown).
+          Promoted nextTask to scheduler member iNextExecute so deleteTask() can
+          advance it before the memory is freed.
 */
 
 #include "TaskSchedulerDeclarations.h"
@@ -1023,6 +1030,7 @@ void Scheduler::init() {
     iFirst = NULL;
     iLast = NULL;
     iCurrent = NULL;
+    iNextExecute = NULL;
 
     iPaused = false;
 
@@ -1076,11 +1084,16 @@ void Scheduler::init() {
  */
 void Scheduler::deleteTask(Task& aTask) {
 // Can only delete own tasks
-    if (aTask.iScheduler != this) 
+    if (aTask.iScheduler != this)
         return;
-    
+
     iEnabled = false;
 
+    // If execute() is mid-iteration and this task is next in line,
+    // advance the pointer before we unlink and the memory is freed.
+    if (iNextExecute == &aTask)
+        iNextExecute = aTask.iNext;
+
     aTask.iScheduler = NULL;
     if (aTask.iPrev == NULL) {
         if (aTask.iNext == NULL) {
@@ -1549,7 +1562,6 @@ bool Scheduler::execute() {
 #endif  // _TASK_SLEEP_ON_IDLE_RUN
 
 
-    Task *nextTask;     // support for deleting the task in the onDisable method
     iCurrent = iFirst;
 
     iActiveTasks = 0;
@@ -1605,7 +1617,7 @@ bool Scheduler::execute() {
         if (iHighPriority) idleRun = iHighPriority->execute() && idleRun;
         iCurrentScheduler = this;
 #endif  // _TASK_PRIORITY
-        nextTask = iCurrent->iNext;
+        iNextExecute = iCurrent->iNext;
         do {
             if ( iCurrent->iStatus.enabled ) {
                 iActiveTasks++;
@@ -1763,7 +1775,7 @@ bool Scheduler::execute() {
 #endif  //  #ifdef _TASK_SELF_DESTRUCT
         } while (0);    //guaranteed single run - allows use of "break" to exit
 
-        iCurrent = nextTask;
+        iCurrent = iNextExecute;
 
 #ifdef _TASK_TIMECRITICAL
         iCPUCycle += ( (_task_micros() - tPassStart) - (tTaskFinish - tTaskStart) );

src/TaskSchedulerDeclarations.h

@@ -2,9 +2,9 @@
  * @file TaskSchedulerDeclarations.h
  * @brief Cooperative multitasking library for Arduino microcontrollers
  * @author Anatoli Arkhipenko
- * @version 4.0.2
- * @date 2015-2025
- * @copyright Copyright (c) 2015-2025 Anatoli Arkhipenko
+ * @version 4.0.5
+ * @date 2015-2026
+ * @copyright Copyright (c) 2015-2026 Anatoli Arkhipenko
  *
  * @details A lightweight implementation of cooperative multitasking (task scheduling) supporting:
  * - Periodic task execution, with dynamic execution period in milliseconds (default) or microseconds
@@ -3066,7 +3066,7 @@ class Scheduler {
 #ifdef _TASK_THREAD_SAFE
     __TASK_INLINE void   processRequests();
 #endif
-    Task          *iFirst, *iLast, *iCurrent;        // pointers to first, last and current tasks in the chain
+    Task          *iFirst, *iLast, *iCurrent, *iNextExecute;  // pointers to first, last, current and next-to-execute tasks in the chain
 
     volatile bool iPaused, iEnabled;
     unsigned long iActiveTasks;