From fc5b6f7b0eee88c52080cfc796693ef092288f1a Mon Sep 17 00:00:00 2001 From: Simon Goldschmidt Date: Thu, 28 Jan 2021 20:00:11 +0100 Subject: [PATCH] lwiperf: fix double-free of pcb on error See bug #59841 (PCB double-free happened at lwiperf TCP error) Signed-off-by: Simon Goldschmidt --- src/apps/lwiperf/lwiperf.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/src/apps/lwiperf/lwiperf.c b/src/apps/lwiperf/lwiperf.c index 7fc3b612..26b1e3b5 100644 --- a/src/apps/lwiperf/lwiperf.c +++ b/src/apps/lwiperf/lwiperf.c @@ -264,7 +264,7 @@ lwiperf_tcp_close(lwiperf_state_tcp_t *conn, enum lwiperf_report_type report_typ /* don't want to wait for free memory here... */ tcp_abort(conn->conn_pcb); } - } else { + } else if (conn->server_pcb != NULL) { /* no conn pcb, this is the listener pcb */ err = tcp_close(conn->server_pcb); LWIP_ASSERT("error", err == ERR_OK); @@ -566,6 +566,11 @@ lwiperf_tcp_err(void *arg, err_t err) { lwiperf_state_tcp_t *conn = (lwiperf_state_tcp_t *)arg; LWIP_UNUSED_ARG(err); + + /* pcb is already deallocated, prevent double-free */ + conn->conn_pcb = NULL; + conn->server_pcb = NULL; + lwiperf_tcp_close(conn, LWIPERF_TCP_ABORTED_REMOTE); }