TCP Networking: When CONFIG_NET_TCP_WRITE_BUFF=y there is a situation where a NULL pointer may be dereferenced. In this configuration, the TCP connection's 'semi-permnanent' callback, s_sndcb was nullified in tcp_close_disconnect. However, other logic in tcp_lost_connection() attempt to use that callback reference after it was nullifed. Fixed in tcp_lost_connectino() by adding a NULL pointer change before the access. This was reported by Dmitriy Linikov in Bitbucket Issue 72.

2026-06-07 01:05:54 +08:00 · 2017-10-13 06:47:09 -06:00
parent 7c815e555c
commit 5ffd034f40
2 changed files with 15 additions and 11 deletions
@@ -339,21 +339,18 @@ static inline int tcp_close_disconnect(FAR struct socket *psock)
  /* Interrupts are disabled here to avoid race conditions */

  net_lock();
-  conn = (FAR struct tcp_conn_s *)psock->s_conn;

+  conn = (FAR struct tcp_conn_s *)psock->s_conn;
+  DEBUGASSERT(conn != NULL);
+
+#ifdef CONFIG_NET_TCP_WRITE_BUFFERS
  /* If we have a semi-permanent write buffer callback in place, then
   * release it now.
   */

-#ifdef CONFIG_NET_TCP_WRITE_BUFFERS
-  if (psock->s_sndcb)
-    {
-      psock->s_sndcb = NULL;
-    }
+  psock->s_sndcb = NULL;
 #endif

-  DEBUGASSERT(conn != NULL);
-
  /* Check for the case where the host beat us and disconnected first */

  if (conn->tcpstateflags == TCP_ESTABLISHED &&