From 39a9c5a3c5dad7939ad11c8fb29ff1f08f5fb5bd Mon Sep 17 00:00:00 2001
From: Simon Goldschmidt <goldsimon@gmx.de>
Date: Fri, 1 Oct 2021 19:44:07 +0200
Subject: [PATCH] netif: fix removing ext-callback while callback is called

When a registered netif ext-callback unregisters itself when being
called (e.g. because some state is reached by this event), the invoke
iteration might access uninitialized memory or at least stop the
iteration (because next is set to null).

Fix his by caching the next pointer during iteration before calling
callbacks.

Signed-off-by: Simon Goldschmidt <goldsimon@gmx.de>
---
 src/core/netif.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/src/core/netif.c b/src/core/netif.c
index cf73a209..d3a06774 100644
--- a/src/core/netif.c
+++ b/src/core/netif.c
@@ -1825,11 +1825,11 @@ netif_remove_ext_callback(netif_ext_callback_t* callback)
       if (iter == callback) {
         LWIP_ASSERT("last != NULL", last != NULL);
         last->next = callback->next;
-        callback->next = NULL;
-        return;
+        break;
       }
     }
   }
+  callback->next = NULL;
 }
 
 /**
@@ -1846,8 +1846,10 @@ netif_invoke_ext_callback(struct netif *netif, netif_nsc_reason_t reason, const
   LWIP_ASSERT("netif must be != NULL", netif != NULL);
 
   while (callback != NULL) {
+    /* cache next pointer: the callback might unregister itself */
+    netif_ext_callback_t *next = callback->next;
     callback->callback_fn(netif, reason, args);
-    callback = callback->next;
+    callback = next;
   }
 }
 #endif /* LWIP_NETIF_EXT_STATUS_CALLBACK */