[lwip-devel] [bug #61666] A memory leak BUG in function tcp_input().

[Enrico Murador]

Follow-up Comment #5, bug #61666 (project lwip):

I am getting the same issue. I am working with httpd server.

My scenario: after httpd finish sending data in response to a PUSH request
from client, tcp_input() receives a packet (the first part of a GET request)
for the same pcb that is handling the PUSH data.
tcp_input() calls TCP_EVENT_SENT callback (http_sent), that calls http_send(),
then http_check_eof(), that calls http_eof() because it founds the send is
done.
http_eof() closes the connection (call sequence:
http_close_conn->http_close_or_abort_conn->tcp_close->tcp_close_shutdown).
tcp_close_shutdown calls tcp_rst() because application has still to receive
the data (TCP_EVENT_RECV callback has yet to be called, code is after the call
to TCP_EVENT_SENT callback.
After the TCP_EVENT_SENT callback return, tcp_input() calls
tcp_input_delayed_close() that returns 1 and code jumps to "aborted".

Now, inseg.p is NULL, probably (I have yet to verify it, but it seems the only
possibility) because before the call to TCP_EVENT_SENT callback, tcp_input()
calls tcp_process() that calls tcp_receive(), that passes the inseg.p pointer
to recv_data and NULLs inseg.p (code comment is: "Since this pbuf now is the
responsibility of the application, we delete our reference to it so that we
won't (mistakingly) deallocate it").

So back in tcp_input(), the code returns after taking the "aborted" route
without freeing the pbuf that should be still in charge of tcp, because
TCP_EVENT_RECV callback has not been called.


    _______________________________________________________

Reply to this item at:

  <https://savannah.nongnu.org/bugs/?61666>

_______________________________________________
  Message sent via Savannah
  https://savannah.nongnu.org/