Improve pbuf refcount underflow check by checking the local variable on the stack that was assigned in a protected region

The old code was vulnerable to race conditions since it checked ref to be >0 without locks
This commit is contained in:
Dirk Ziegelmeier 2017-02-23 16:55:14 +01:00
parent 0a7734cf64
commit 62c44138da

View File

@ -743,17 +743,17 @@ pbuf_free(struct pbuf *p)
/* de-allocate all consecutive pbufs from the head of the chain that
* obtain a zero reference count after decrementing*/
while (p != NULL) {
u16_t ref;
LWIP_PBUF_REF_T ref;
SYS_ARCH_DECL_PROTECT(old_level);
/* Since decrementing ref cannot be guaranteed to be a single machine operation
* we must protect it. We put the new ref into a local variable to prevent
* further protection. */
SYS_ARCH_PROTECT(old_level);
/* all pbufs in a chain are referenced at least once */
LWIP_ASSERT("pbuf_free: p->ref > 0", p->ref > 0);
/* decrease reference count (number of pointers to pbuf) */
ref = --(p->ref);
SYS_ARCH_UNPROTECT(old_level);
/* Check for refcount underflow */
LWIP_ASSERT("pbuf_free: p->ref >= 0", ref >= 0);
/* this pbuf is no longer referenced to? */
if (ref == 0) {
/* remember next pbuf in chain for next iteration */