TCP Networking: When CONFIG_NET_TCP_WRITE_BUFF=y there is a situation where a NULL pointer may be dereferenced. In this configuration, the TCP connection's 'semi-permnanent' callback, s_sndcb was nullified in tcp_close_disconnect. However, other logic in tcp_lost_connection() attempt to use that callback reference after it was nullifed. Fixed in tcp_lost_connectino() by adding a NULL pointer change before the access. This was reported by Dmitriy Linikov in Bitbucket Issue 72.

2026-06-06 08:36:24 +08:00 · 2017-10-13 06:47:09 -06:00
parent 7c815e555c
commit 5ffd034f40
2 changed files with 15 additions and 11 deletions
@@ -427,11 +427,18 @@ void tcp_lost_connection(FAR struct socket *psock,

  /* Nullify the callback structure so that recursive callbacks are not
   * received by the event handler due to disconnection processing.
+   *
+   * NOTE: In a configuration with CONFIG_NET_TCP_WRITE_BUFFERS=y,
+   * the "semi-permanent" callback structure may have already been
+   * nullified.
   */

-  cb->flags = 0;
-  cb->priv  = NULL;
-  cb->event = NULL;
+  if (cb != NULL)
+    {
+      cb->flags = 0;
+      cb->priv  = NULL;
+      cb->event = NULL;
+    }

  /* Make sure that this socket is explicitly marked.  It may not get a
   * callback due to the above nullification.