From b07a481f6625b110a74272fbe1cde0332f76a4e5 Mon Sep 17 00:00:00 2001
From: goldsimon <goldsimon@gmx.de>
Date: Mon, 18 Dec 2017 20:09:44 +0100
Subject: [PATCH] Fix bug #52686 (pointer 'to' checked for NULL in
 lwip_sendto() may be dereferenced)

Signed-off-by: goldsimon <goldsimon@gmx.de>
---
 src/api/sockets.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/src/api/sockets.c b/src/api/sockets.c
index beafa0c3..81053b0a 100644
--- a/src/api/sockets.c
+++ b/src/api/sockets.c
@@ -1564,7 +1564,7 @@ lwip_sendto(int s, const void *data, size_t size, int flags,
   short_size = (u16_t)size;
   LWIP_ERROR("lwip_sendto: invalid address", (((to == NULL) && (tolen == 0)) ||
              (IS_SOCK_ADDR_LEN_VALID(tolen) &&
-              IS_SOCK_ADDR_TYPE_VALID(to) && IS_SOCK_ADDR_ALIGNED(to))),
+              ((to != NULL) && (IS_SOCK_ADDR_TYPE_VALID(to) && IS_SOCK_ADDR_ALIGNED(to))))),
              sock_set_errno(sock, err_to_errno(ERR_ARG)); done_socket(sock); return -1;);
   LWIP_UNUSED_ARG(tolen);
 
@@ -2173,15 +2173,14 @@ lwip_pollscan(struct pollfd *fds, nfds_t nfds, enum lwip_pollscan_opts opts)
             SYS_ARCH_UNPROTECT(lev);
             break;
           }
-          done_socket_locked(sock);
         } else if ((opts & LWIP_POLLSCAN_DEC_WAIT) != 0) {
           /* for now, handle select_waiting==0... */
           LWIP_ASSERT("sock->select_waiting > 0", sock->select_waiting > 0);
           if (sock->select_waiting > 0) {
             sock->select_waiting--;
           }
-          done_socket_locked(sock);
         }
+        done_socket_locked(sock);
 
         SYS_ARCH_UNPROTECT(lev);