TCP Networking: When CONFIG_NET_TCP_WRITE_BUFF=y there is a situation where a NULL pointer may be dereferenced. In this configuration, the TCP connection's 'semi-permnanent' callback, s_sndcb was nullified in tcp_close_disconnect. However, other logic in tcp_lost_connection() attempt to use that callback reference after it was nullifed. Fixed in tcp_lost_connectino() by adding a NULL pointer change before the access. This was reported by Dmitriy Linikov in Bitbucket Issue 72.

net/inet/inet_close.c

@@ -339,21 +339,18 @@ static inline int tcp_close_disconnect(FAR struct socket *psock)
   /* Interrupts are disabled here to avoid race conditions */
 
   net_lock();
-  conn = (FAR struct tcp_conn_s *)psock->s_conn;
 
+  conn = (FAR struct tcp_conn_s *)psock->s_conn;
+  DEBUGASSERT(conn != NULL);
+
+#ifdef CONFIG_NET_TCP_WRITE_BUFFERS
   /* If we have a semi-permanent write buffer callback in place, then
    * release it now.
    */
 
-#ifdef CONFIG_NET_TCP_WRITE_BUFFERS
+  psock->s_sndcb = NULL;
-  if (psock->s_sndcb)
-    {
-      psock->s_sndcb = NULL;
-    }
 #endif
 
-  DEBUGASSERT(conn != NULL);
-
   /* Check for the case where the host beat us and disconnected first */
 
   if (conn->tcpstateflags == TCP_ESTABLISHED &&

net/tcp/tcp_monitor.c

@@ -427,11 +427,18 @@ void tcp_lost_connection(FAR struct socket *psock,
 
   /* Nullify the callback structure so that recursive callbacks are not
    * received by the event handler due to disconnection processing.
+   *
+   * NOTE: In a configuration with CONFIG_NET_TCP_WRITE_BUFFERS=y,
+   * the "semi-permanent" callback structure may have already been
+   * nullified.
    */
 
-  cb->flags = 0;
+  if (cb != NULL)
-  cb->priv  = NULL;
+    {
-  cb->event = NULL;
+      cb->flags = 0;
+      cb->priv  = NULL;
+      cb->event = NULL;
+    }
 
   /* Make sure that this socket is explicitly marked.  It may not get a
    * callback due to the above nullification.