From 5205317cf8379083878e63c84d8269c6d156e501 Mon Sep 17 00:00:00 2001 From: Kevin Schoedel <67607049+kpschoedel@users.noreply.github.com> Date: Fri, 5 Nov 2021 11:03:59 -0400 Subject: [PATCH] Fix potential leak in TCPEndPoint::LwIPHandleDataReceived (#11447) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit #### Problem `TCPEndPoint::LwIPHandleDataReceived()` receives a packet buffer and, in the normal case, forwards its ownership via `PostEvent()`. If that fails, `LwIPHandleDataReceived()` is responsible for freeing the pbuf, but doesn't. From LwIP documentation, “If the callback function returns ERR_OK or ERR_ABRT it must have freed the pbuf”. #### Change overview Call `pbuf_free()` if `PostEvent()` fails. #### Testing None; we don't have any way to instrument LwIP to verify this. --- src/inet/TCPEndPoint.cpp | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/inet/TCPEndPoint.cpp b/src/inet/TCPEndPoint.cpp index 91c70fdc686505..7c31e74e8e8e99 100644 --- a/src/inet/TCPEndPoint.cpp +++ b/src/inet/TCPEndPoint.cpp @@ -1086,7 +1086,13 @@ err_t TCPEndPoint::LwIPHandleDataReceived(void * arg, struct tcp_pcb * tpcb, str res = ERR_ABRT; if (res != ERR_OK) + { + if (p != nullptr) + { + pbuf_free(p); + } tcp_abort(tpcb); + } return res; }