From 734ada3e2980d1bbf5c7a1ea5c624b34be16dfa9 Mon Sep 17 00:00:00 2001 From: Damien George Date: Wed, 29 May 2019 01:24:43 +1000 Subject: [PATCH] extmod/modlwip: Free any incoming bufs/connections before closing PCB. Commit 2848a613ac61fce209962354c2698ee587a2c26a introduced a bug where lwip_socket_free_incoming() accessed pcb.tcp->state after the PCB was closed. The state may have changed due to that close call, or the PCB may be freed and therefore invalid. This commit fixes that by calling lwip_socket_free_incoming() before the PCB is closed. --- extmod/modlwip.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/extmod/modlwip.c b/extmod/modlwip.c index e0bf17db8c..06ed764b53 100644 --- a/extmod/modlwip.c +++ b/extmod/modlwip.c @@ -1416,6 +1416,9 @@ STATIC mp_uint_t lwip_socket_ioctl(mp_obj_t self_in, mp_uint_t request, uintptr_ tcp_err(socket->pcb.tcp, NULL); tcp_recv(socket->pcb.tcp, NULL); + // Free any incoming buffers or connections that are stored + lwip_socket_free_incoming(socket); + switch (socket->type) { case MOD_NETWORK_SOCK_STREAM: { if (tcp_close(socket->pcb.tcp) != ERR_OK) { @@ -1430,7 +1433,7 @@ STATIC mp_uint_t lwip_socket_ioctl(mp_obj_t self_in, mp_uint_t request, uintptr_ case MOD_NETWORK_SOCK_DGRAM: udp_remove(socket->pcb.udp); break; //case MOD_NETWORK_SOCK_RAW: raw_remove(socket->pcb.raw); break; } - lwip_socket_free_incoming(socket); + socket->pcb.tcp = NULL; socket->state = _ERR_BADF; ret = 0;