diff options
| author | Rohit Grover <rohit.grover@arm.com> | 2016-09-12 14:43:47 +0100 |
|---|---|---|
| committer | Anas Nashif <nashif@linux.intel.com> | 2016-10-08 21:20:28 +0000 |
| commit | f809c84de2f93564863123f429297a601ecf8a3c (patch) | |
| tree | 8717a68f5eb06ad1691336348dd460e242c16849 /net | |
| parent | 627feb92d4b01556891e232db6b9c9181899965b (diff) | |
net: fix a potential refcount leak of SYN buffers
net_send() is meant to release the refcount for the SYN buffer once
a connection is established, but this assumes that the application
uses net_send() for all outgoing buffers. It is possible to setup a
connection (and therefore generate an outgoing SYN) by calling
net_context_tcp_init(), which has the side-effect of overwriting
connection_status . Using such an API would then break the
assumption around net_send() reclaiming the refcount of the SYN buf.
A test case which exposes the problem:
* As a client, setup a connection with an HTTP server.
* Send an HTTP request contained in a buf using net_send()
* The server responds, and then tears down the connection.
* The test client then re-establishes another connection using
net_context_tcp_init()--this overwrites connection_status, causing
a refcount leak.
With this change, we remove the dependency on net_send() being called.
Change-Id: I96516cbca3e231ed7fb509a7c03c0ceebf80e03a
Signed-off-by: Rohit Grover <rohit.grover@arm.com>
Diffstat (limited to 'net')
| -rw-r--r-- | net/ip/contiki/ipv4/uip.c | 5 |
1 files changed, 2 insertions, 3 deletions
diff --git a/net/ip/contiki/ipv4/uip.c b/net/ip/contiki/ipv4/uip.c index 98eb06b55..d182c638e 100644 --- a/net/ip/contiki/ipv4/uip.c +++ b/net/ip/contiki/ipv4/uip.c @@ -1916,9 +1916,8 @@ uip_process(struct net_buf **buf_out, uint8_t flag) net_context_set_connection_status(ip_buf_context(uip_connr->buf), EISCONN); - /* Eventually the uip_connr->buf will be freed - * by net_core.c:net_send() - */ + ip_buf_unref(uip_connr->buf); + uip_connr->buf = NULL; tcp_cancel_retrans_timer(uip_connr); |