diff --git a/ChangeLog b/ChangeLog index 776a642a5b..65873be4db 100644 --- a/ChangeLog +++ b/ChangeLog @@ -6420,3 +6420,5 @@ Extended from logic provided by Jason Jiang. Enabled with CONFIG_NET_SOLINGER. At this point, it has only been verified that the changes does not seem to do any harm (2014-1-13). + * net/connect.c and net/uip/uip_callback.c: prevent tcp_connect + callback from being double freed. From Max Holtzberg (2014-1-13). diff --git a/net/connect.c b/net/connect.c index fdbb34f55f..73cb61bd41 100644 --- a/net/connect.c +++ b/net/connect.c @@ -138,6 +138,8 @@ static inline void tcp_teardown_callbacks(struct tcp_connect_s *pstate, uip_tcpcallbackfree(conn, pstate->tc_cb); + pstate->tc_cb = NULL; + /* If we successfully connected, we will continue to monitor the connection * state via callbacks. */ diff --git a/net/net_close.c b/net/net_close.c index 8aa775abaf..42b87d2f5f 100644 --- a/net/net_close.c +++ b/net/net_close.c @@ -91,7 +91,7 @@ struct tcp_close_s * Check for a timeout on a lingering close. * * Parameters: - * pstate send state structure + * pstate - close state structure * * Returned Value: * TRUE:timeout FALSE:no timeout @@ -310,7 +310,7 @@ static inline int netclose_disconnect(FAR struct socket *psock) * enabled. */ - state.cl_cb->priv = (void*)&state; + state.cl_cb->priv = (FAR void *)&state; /* Set up for the lingering wait */ diff --git a/net/uip/uip_callback.c b/net/uip/uip_callback.c index 0c8c3aaa01..e945c5b1a6 100644 --- a/net/uip/uip_callback.c +++ b/net/uip/uip_callback.c @@ -161,9 +161,22 @@ void uip_callbackfree(FAR struct uip_callback_s *cb, FAR struct uip_callback_s * if (cb) { + save = uip_lock(); + +#ifdef CONFIG_DEBUG + /* Check for double freed callbacks */ + + curr = g_cbfreelist; + + while (curr != NULL) + { + DEBUGASSERT(cb != curr); + curr = curr->flink; + } +#endif + /* Find the callback structure in the connection's list */ - save = uip_lock(); if (list) { for (prev = NULL, curr = *list;