Fix bug #52686 (pointer 'to' checked for NULL in lwip_sendto() may be dereferenced)

Signed-off-by: goldsimon <goldsimon@gmx.de>
This commit is contained in:
goldsimon 2017-12-18 20:09:44 +01:00
parent 7c1f844782
commit b07a481f66

View File

@ -1564,7 +1564,7 @@ lwip_sendto(int s, const void *data, size_t size, int flags,
short_size = (u16_t)size; short_size = (u16_t)size;
LWIP_ERROR("lwip_sendto: invalid address", (((to == NULL) && (tolen == 0)) || LWIP_ERROR("lwip_sendto: invalid address", (((to == NULL) && (tolen == 0)) ||
(IS_SOCK_ADDR_LEN_VALID(tolen) && (IS_SOCK_ADDR_LEN_VALID(tolen) &&
IS_SOCK_ADDR_TYPE_VALID(to) && IS_SOCK_ADDR_ALIGNED(to))), ((to != NULL) && (IS_SOCK_ADDR_TYPE_VALID(to) && IS_SOCK_ADDR_ALIGNED(to))))),
sock_set_errno(sock, err_to_errno(ERR_ARG)); done_socket(sock); return -1;); sock_set_errno(sock, err_to_errno(ERR_ARG)); done_socket(sock); return -1;);
LWIP_UNUSED_ARG(tolen); LWIP_UNUSED_ARG(tolen);
@ -2173,15 +2173,14 @@ lwip_pollscan(struct pollfd *fds, nfds_t nfds, enum lwip_pollscan_opts opts)
SYS_ARCH_UNPROTECT(lev); SYS_ARCH_UNPROTECT(lev);
break; break;
} }
done_socket_locked(sock);
} else if ((opts & LWIP_POLLSCAN_DEC_WAIT) != 0) { } else if ((opts & LWIP_POLLSCAN_DEC_WAIT) != 0) {
/* for now, handle select_waiting==0... */ /* for now, handle select_waiting==0... */
LWIP_ASSERT("sock->select_waiting > 0", sock->select_waiting > 0); LWIP_ASSERT("sock->select_waiting > 0", sock->select_waiting > 0);
if (sock->select_waiting > 0) { if (sock->select_waiting > 0) {
sock->select_waiting--; sock->select_waiting--;
} }
done_socket_locked(sock);
} }
done_socket_locked(sock);
SYS_ARCH_UNPROTECT(lev); SYS_ARCH_UNPROTECT(lev);