Skip to content
Snippets Groups Projects
Commit 5ffd034f authored by Gregory Nutt's avatar Gregory Nutt
Browse files

TCP Networking: When CONFIG_NET_TCP_WRITE_BUFF=y there is a situation where a...

TCP Networking:  When CONFIG_NET_TCP_WRITE_BUFF=y there is a situation where a NULL pointer may be dereferenced.  In this configuration, the TCP connection's 'semi-permnanent' callback, s_sndcb was nullified in tcp_close_disconnect.  However, other logic in tcp_lost_connection() attempt to use that callback reference after it was nullifed.  Fixed in tcp_lost_connectino() by adding a NULL pointer change before the access.  This was reported by  Dmitriy Linikov in Bitbucket Issue 72.
parent 7c815e55
No related branches found
No related tags found
No related merge requests found
......@@ -339,21 +339,18 @@ static inline int tcp_close_disconnect(FAR struct socket *psock)
/* Interrupts are disabled here to avoid race conditions */
net_lock();
conn = (FAR struct tcp_conn_s *)psock->s_conn;
DEBUGASSERT(conn != NULL);
#ifdef CONFIG_NET_TCP_WRITE_BUFFERS
/* If we have a semi-permanent write buffer callback in place, then
* release it now.
*/
#ifdef CONFIG_NET_TCP_WRITE_BUFFERS
if (psock->s_sndcb)
{
psock->s_sndcb = NULL;
}
psock->s_sndcb = NULL;
#endif
DEBUGASSERT(conn != NULL);
/* Check for the case where the host beat us and disconnected first */
if (conn->tcpstateflags == TCP_ESTABLISHED &&
......
......@@ -427,11 +427,18 @@ void tcp_lost_connection(FAR struct socket *psock,
/* Nullify the callback structure so that recursive callbacks are not
* received by the event handler due to disconnection processing.
*
* NOTE: In a configuration with CONFIG_NET_TCP_WRITE_BUFFERS=y,
* the "semi-permanent" callback structure may have already been
* nullified.
*/
cb->flags = 0;
cb->priv = NULL;
cb->event = NULL;
if (cb != NULL)
{
cb->flags = 0;
cb->priv = NULL;
cb->event = NULL;
}
/* Make sure that this socket is explicitly marked. It may not get a
* callback due to the above nullification.
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment