From 01c2e43c5c77701286d2428916d630dee91919e5 Mon Sep 17 00:00:00 2001
From: sg <goldsimon@gmx.de>
Date: Thu, 9 Feb 2017 20:41:27 +0100
Subject: [PATCH] Fixed bug #44032 (LWIP_NETCONN_FULLDUPLEX: select might work
 on invalid/reused socket) by not allowing to reallocate a socket that has
 "select_waiting != 0"

(cherry picked from commit c1c470fc4c0f3ed7f66358688d49fb33cfb603f7)
---
 src/api/sockets.c | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/src/api/sockets.c b/src/api/sockets.c
index d4ddb76a..1e7e6bae 100644
--- a/src/api/sockets.c
+++ b/src/api/sockets.c
@@ -407,7 +407,7 @@ alloc_socket(struct netconn *newconn, int accepted)
   for (i = 0; i < NUM_SOCKETS; ++i) {
     /* Protect socket array */
     SYS_ARCH_PROTECT(lev);
-    if (!sockets[i].conn) {
+    if (!sockets[i].conn && (sockets[i].select_waiting == 0)) {
       sockets[i].conn       = newconn;
       /* The socket is not yet known to anyone, so no need to protect
          after having marked it as used. */
@@ -420,7 +420,6 @@ alloc_socket(struct netconn *newconn, int accepted)
       sockets[i].sendevent  = (NETCONNTYPE_GROUP(newconn->type) == NETCONN_TCP ? (accepted != 0) : 1);
       sockets[i].errevent   = 0;
       sockets[i].err        = 0;
-      sockets[i].select_waiting = 0;
       return i + LWIP_SOCKET_OFFSET;
     }
     SYS_ARCH_UNPROTECT(lev);
@@ -1490,9 +1489,7 @@ lwip_select(int maxfdp1, fd_set *readset, fd_set *writeset, fd_set *exceptset,
         SYS_ARCH_PROTECT(lev);
         sock = tryget_socket(i);
         if (sock != NULL) {
-          /* @todo: what if this is a new socket (reallocated?) in this case,
-             select_waiting-- would be wrong (a global 'sockalloc' counter,
-             stored per socket could help) */
+          /* for now, handle select_waiting==0... */
           LWIP_ASSERT("sock->select_waiting > 0", sock->select_waiting > 0);
           if (sock->select_waiting > 0) {
             sock->select_waiting--;