[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[lwip-devel] [bug #60532] Double free and assert "pbuf_free: p->ref > 0"
From: |
SviMik |
Subject: |
[lwip-devel] [bug #60532] Double free and assert "pbuf_free: p->ref > 0" fail |
Date: |
Wed, 5 May 2021 19:07:19 -0400 (EDT) |
User-agent: |
Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 |
Follow-up Comment #2, bug #60532 (project lwip):
The problem happens when mem_trim() is called in pbuf.c
In my project mem_trim() is implemented via realloc() in the following way:
void *mem_trim(void *mem, mem_size_t size){
return realloc(mem, size);
}
The problem is that realloc() returns a new pointer that must be saved, the
old pointer is considered free'd (that's exactly what valgrind says) and can't
be used anymore. So what happens is that lwip keeps using the old pointer
ignoring the return value of mem_trim().
I'm reading the code in pbuf.c but I can't see how the new pointer is stored:
/* reallocate and adjust the length of the pbuf that will be split */
q = (struct pbuf *)mem_trim(q, (mem_size_t)(((u8_t *)q->payload - (u8_t
*)q) + rem_len));
LWIP_ASSERT("mem_trim returned q == NULL", q != NULL);
}
/* adjust length fields for new last pbuf */
q->len = rem_len;
q->tot_len = q->len;
/* any remaining pbufs in chain? */
if (q->next != NULL) {
/* free remaining pbufs in chain */
pbuf_free(q->next);
}
/* q is last packet in chain */
q->next = NULL;
} <--- at this point the q will be lost forever
_______________________________________________________
Reply to this item at:
<https://savannah.nongnu.org/bugs/?60532>
_______________________________________________
Message sent via Savannah
https://savannah.nongnu.org/