diff options
| author | Gregory Nutt <gnutt@nuttx.org> | 2014-01-13 12:04:01 -0600 |
|---|---|---|
| committer | Gregory Nutt <gnutt@nuttx.org> | 2014-01-13 12:04:01 -0600 |
| commit | 37910672a48dbac1288ddb677935c2d8f24bbaa8 (patch) | |
| tree | fea45ff9dd50dc8eec44bddacb6b5c041bf6b23a | |
| parent | 45e0b49b1a2808c4ce4c289fbbc8ee284b293917 (diff) | |
| download | nuttx-37910672a48dbac1288ddb677935c2d8f24bbaa8.tar.gz nuttx-37910672a48dbac1288ddb677935c2d8f24bbaa8.tar.bz2 nuttx-37910672a48dbac1288ddb677935c2d8f24bbaa8.zip | |
NET: prevent tcp_connect callback from being double freed. From Max Holtzberg.
| -rw-r--r-- | nuttx/ChangeLog | 2 | ||||
| -rw-r--r-- | nuttx/net/connect.c | 2 | ||||
| -rw-r--r-- | nuttx/net/net_close.c | 4 | ||||
| -rw-r--r-- | nuttx/net/uip/uip_callback.c | 15 |
4 files changed, 20 insertions, 3 deletions
diff --git a/nuttx/ChangeLog b/nuttx/ChangeLog index 776a642a5..65873be4d 100644 --- a/nuttx/ChangeLog +++ b/nuttx/ChangeLog @@ -6420,3 +6420,5 @@ Extended from logic provided by Jason Jiang. Enabled with CONFIG_NET_SOLINGER. At this point, it has only been verified that the changes does not seem to do any harm (2014-1-13). + * net/connect.c and net/uip/uip_callback.c: prevent tcp_connect + callback from being double freed. From Max Holtzberg (2014-1-13). diff --git a/nuttx/net/connect.c b/nuttx/net/connect.c index fdbb34f55..73cb61bd4 100644 --- a/nuttx/net/connect.c +++ b/nuttx/net/connect.c @@ -138,6 +138,8 @@ static inline void tcp_teardown_callbacks(struct tcp_connect_s *pstate, uip_tcpcallbackfree(conn, pstate->tc_cb); + pstate->tc_cb = NULL; + /* If we successfully connected, we will continue to monitor the connection * state via callbacks. */ diff --git a/nuttx/net/net_close.c b/nuttx/net/net_close.c index 8aa775aba..42b87d2f5 100644 --- a/nuttx/net/net_close.c +++ b/nuttx/net/net_close.c @@ -91,7 +91,7 @@ struct tcp_close_s * Check for a timeout on a lingering close. * * Parameters: - * pstate send state structure + * pstate - close state structure * * Returned Value: * TRUE:timeout FALSE:no timeout @@ -310,7 +310,7 @@ static inline int netclose_disconnect(FAR struct socket *psock) * enabled. */ - state.cl_cb->priv = (void*)&state; + state.cl_cb->priv = (FAR void *)&state; /* Set up for the lingering wait */ diff --git a/nuttx/net/uip/uip_callback.c b/nuttx/net/uip/uip_callback.c index 0c8c3aaa0..e945c5b1a 100644 --- a/nuttx/net/uip/uip_callback.c +++ b/nuttx/net/uip/uip_callback.c @@ -161,9 +161,22 @@ void uip_callbackfree(FAR struct uip_callback_s *cb, FAR struct uip_callback_s * if (cb) { + save = uip_lock(); + +#ifdef CONFIG_DEBUG + /* Check for double freed callbacks */ + + curr = g_cbfreelist; + + while (curr != NULL) + { + DEBUGASSERT(cb != curr); + curr = curr->flink; + } +#endif + /* Find the callback structure in the connection's list */ - save = uip_lock(); if (list) { for (prev = NULL, curr = *list; |