From b5dd87b184d1098a743e2a0b9a64e92abcf240ad Mon Sep 17 00:00:00 2001
From: goldsimon <goldsimon>
Date: Sun, 27 Mar 2011 13:58:26 +0000
Subject: [PATCH] Fixed bug #32280 (ppp: a pbuf is freed twice)

---
 CHANGELOG           |  3 +++
 src/netif/ppp/ppp.c | 18 +++++++++++-------
 2 files changed, 14 insertions(+), 7 deletions(-)

diff --git a/CHANGELOG b/CHANGELOG
index 5f0711e4..3c309413 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -237,6 +237,9 @@ HISTORY
 
   ++ Bugfixes:
 
+  2011-03-27: Simon Goldschmidt
+  * ppp.c: Fixed bug #32280 (ppp: a pbuf is freed twice)
+
   2011-03-27: Simon Goldschmidt
   * sockets.c: Fixed bug #32906: lwip_connect+lwip_send did not work for udp and
     raw pcbs with LWIP_TCPIP_CORE_LOCKING==1.
diff --git a/src/netif/ppp/ppp.c b/src/netif/ppp/ppp.c
index c302b424..e9b433b0 100644
--- a/src/netif/ppp/ppp.c
+++ b/src/netif/ppp/ppp.c
@@ -365,7 +365,6 @@ pppLinkTerminated(int pd)
     PPPControl* pc;
     pppRecvWakeup(pd);
     pc = &pppControl[pd];
-    pppDrop(&pc->rx); /* bug fix #17726 */
 
     PPPDEBUG(LOG_DEBUG, ("pppLinkTerminated: unit %d: linkStatusCB=%p errCode=%d\n", pd, pc->linkStatusCB, pc->errCode));
     if (pc->linkStatusCB) {
@@ -1799,6 +1798,7 @@ pppInProc(PPPControlRx *pcrx, u_char *s, int l)
           pppDrop(pcrx);
         /* Otherwise it's a good packet so pass it on. */
         } else {
+          struct pbuf *inp;
           /* Trim off the checksum. */
           if(pcrx->inTail->len >= 2) {
             pcrx->inTail->len -= 2;
@@ -1817,18 +1817,20 @@ pppInProc(PPPControlRx *pcrx, u_char *s, int l)
           }
 
           /* Dispatch the packet thereby consuming it. */
+          inp = pcrx->inHead;
+          /* Packet consumed, release our references. */
+          pcrx->inHead = NULL;
+          pcrx->inTail = NULL;
 #if PPP_INPROC_MULTITHREADED
-          if(tcpip_callback_with_block(pppInput, pcrx->inHead, 0) != ERR_OK) {
+          if(tcpip_callback_with_block(pppInput, inp, 0) != ERR_OK) {
             PPPDEBUG(LOG_ERR, ("pppInProc[%d]: tcpip_callback() failed, dropping packet\n", pcrx->pd));
-            pbuf_free(pcrx->inHead);
+            pbuf_free(inp);
             LINK_STATS_INC(link.drop);
             snmp_inc_ifindiscards(&pppControl[pcrx->pd].netif);
           }
 #else /* PPP_INPROC_MULTITHREADED */
-          pppInput(pcrx->inHead);
+          pppInput(inp);
 #endif /* PPP_INPROC_MULTITHREADED */
-          pcrx->inHead = NULL;
-          pcrx->inTail = NULL;
         }
 
         /* Prepare for a new packet. */
@@ -1902,10 +1904,12 @@ pppInProc(PPPControlRx *pcrx, u_char *s, int l)
         case PDDATA:                    /* Process data byte. */
           /* Make space to receive processed data. */
           if (pcrx->inTail == NULL || pcrx->inTail->len == PBUF_POOL_BUFSIZE) {
-            if(pcrx->inTail) {
+            if (pcrx->inTail != NULL) {
               pcrx->inTail->tot_len = pcrx->inTail->len;
               if (pcrx->inTail != pcrx->inHead) {
                 pbuf_cat(pcrx->inHead, pcrx->inTail);
+                /* give up the inTail reference now */
+                pcrx->inTail = NULL;
               }
             }
             /* If we haven't started a packet, we need a packet header. */