Error paths in `handle_peer_spoke(…)` in `lightningd/peer_control.c` dereference an uninitialized pointer

[whitslack]

The local variable error is declared to be of a pointer type with no initialization:

lightning/lightningd/peer_control.c

Line 1960 in ec7d247

const u8 *error;

Several error paths, upon failure to create a socket pair, jump to the label send_error without initializing error.

lightning/lightningd/peer_control.c

Lines 1981 to 1983 in ec7d247

	pfd = sockpair(tmpctx, channel, &other_fd, &error);
	if (!pfd)
	goto send_error;

lightning/lightningd/peer_control.c

Lines 2025 to 2027 in ec7d247

	pfd = sockpair(tmpctx, channel, &other_fd, &error);
	if (!pfd)
	goto send_error;

lightning/lightningd/peer_control.c

Lines 2062 to 2064 in ec7d247

	pfd = sockpair(tmpctx, channel, &other_fd, &error);
	if (!pfd)
	goto send_error;

lightning/lightningd/peer_control.c

Lines 2081 to 2083 in ec7d247

	pfd = sockpair(tmpctx, channel, &other_fd, &error);
	if (!pfd)
	goto send_error;

The code at send_error passes error as an argument to both tal_hex and towire_connectd_peer_send_msg:

lightning/lightningd/peer_control.c

Lines 2115 to 2122 in ec7d247

	send_error:
	log_peer_debug(ld->log, &peer->id, "Telling connectd to send error %s",
	tal_hex(tmpctx, error));
	/* Get connectd to send error and close. */
	subd_send_msg(ld->connectd,
	take(towire_connectd_peer_send_msg(NULL, &peer->id,
	peer->connectd_counter,
	error)));

The consequence is likely to be a segfault when a socket pair cannot be created.