From fc5b6f7b0eee88c52080cfc796693ef092288f1a Mon Sep 17 00:00:00 2001
From: Simon Goldschmidt <goldsimon@gmx.de>
Date: Thu, 28 Jan 2021 20:00:11 +0100
Subject: [PATCH] lwiperf: fix double-free of pcb on error

See bug #59841 (PCB double-free happened at lwiperf TCP error)

Signed-off-by: Simon Goldschmidt <goldsimon@gmx.de>
---
 src/apps/lwiperf/lwiperf.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/apps/lwiperf/lwiperf.c b/src/apps/lwiperf/lwiperf.c
index 7fc3b612..26b1e3b5 100644
--- a/src/apps/lwiperf/lwiperf.c
+++ b/src/apps/lwiperf/lwiperf.c
@@ -264,7 +264,7 @@ lwiperf_tcp_close(lwiperf_state_tcp_t *conn, enum lwiperf_report_type report_typ
       /* don't want to wait for free memory here... */
       tcp_abort(conn->conn_pcb);
     }
-  } else {
+  } else if (conn->server_pcb != NULL) {
     /* no conn pcb, this is the listener pcb */
     err = tcp_close(conn->server_pcb);
     LWIP_ASSERT("error", err == ERR_OK);
@@ -566,6 +566,11 @@ lwiperf_tcp_err(void *arg, err_t err)
 {
   lwiperf_state_tcp_t *conn = (lwiperf_state_tcp_t *)arg;
   LWIP_UNUSED_ARG(err);
+
+  /* pcb is already deallocated, prevent double-free */
+  conn->conn_pcb = NULL;
+  conn->server_pcb = NULL;
+
   lwiperf_tcp_close(conn, LWIPERF_TCP_ABORTED_REMOTE);
 }