That call stack does not mean the corruption happens in this call stack.
For debugging, can you simply call memp_free on the tcp PCB from your application thread? If the sanity check already hits you there, then it is most probably your application's problem.
If you are on a platform with HW breakpoints, put a WRITE breakpoint on the address range right behind the TCP PCB that is sanity checked in do_memp_free_pool. You will immediately see who writes in there.