]> rtime.felk.cvut.cz Git - pes-rpp/rpp-lwip.git/commitdiff
projects / pes-rpp / rpp-lwip.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 99aea7e)
fixed bug #37405 'err_tcp()' uses already freed 'netconn' object
authorgoldsimon <goldsimon@gmx.de>
Wed, 26 Sep 2012 19:50:42 +0000 (21:50 +0200)
committergoldsimon <goldsimon@gmx.de>
Wed, 26 Sep 2012 19:50:42 +0000 (21:50 +0200)
CHANGELOG patch | blob | history
src/api/api_msg.c patch | blob | history

diff --git a/CHANGELOG b/CHANGELOG
index 00a2a40a6c7a829d8d94f5b6f4d2450f48d1dfa8..6ad6d37b1213a2d6e9b002b0653ad48f19ea1851 100644 (file)
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -80,6 +80,9 @@ HISTORY
 
  ++ Bugfixes:
 
+  2012-09-26: Simon Goldschmidt
+  * api_msg.c: fixed bug #37405 'err_tcp()' uses already freed 'netconn' object
+
   2012-09-26: patch by Henrik Persson
   * dhcp.c: patch #7843 Fix corner case with dhcp timeouts
 
diff --git a/src/api/api_msg.c b/src/api/api_msg.c
index 8b6286d989649cd7894d52ef6fefc063e988c783..b1a9b77257b96bb84d6216b0c280afab60e1bd21 100644 (file)
--- a/src/api/api_msg.c
+++ b/src/api/api_msg.c
@@ -456,6 +456,14 @@ accept_function(void *arg, struct tcp_pcb *newpcb, err_t err)
   if (sys_mbox_trypost(&conn->acceptmbox, newconn) != ERR_OK) {
     /* When returning != ERR_OK, the pcb is aborted in tcp_process(),
        so do nothing here! */
+    /* remove all references to this netconn from the pcb */
+    struct tcp_pcb* pcb = newconn->pcb.tcp;
+    tcp_arg(pcb, NULL);
+    tcp_recv(pcb, NULL);
+    tcp_sent(pcb, NULL);
+    tcp_poll(pcb, NULL, 4);
+    tcp_err(pcb, NULL);
+    /* remove reference from to the pcb from this netconn */
     newconn->pcb.tcp = NULL;
     /* no need to drain since we know the recvmbox is empty. */
     sys_mbox_free(&newconn->recvmbox);