From fbb030d7f767513aa9b646c67cab4659599682d3 Mon Sep 17 00:00:00 2001
From: Nicholas Marriott <nicm@openbsd.org>
Date: Sun, 11 Oct 2009 10:39:27 +0000
Subject: [PATCH] Set the current window pointer to NULL when killing a winlink
 that is to be replaced with link-window -k. This prevents it being pushed
 onto the last window stack and causing a use-after-free.

Only took me an hour to find this :-/...
---
 server-fn.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/server-fn.c b/server-fn.c
index beaae07a..f4f71980 100644
--- a/server-fn.c
+++ b/server-fn.c
@@ -284,8 +284,10 @@ server_link_window(struct session *src, struct winlink *srcwl,
 			winlink_remove(&dst->windows, dstwl);
 
 			/* Force select/redraw if current. */
-			if (dstwl == dst->curw)
+			if (dstwl == dst->curw) {
 				selectflag = 1;
+				dst->curw = NULL;
+			}
 		}
 	}