net: fix a potential refcount leak of SYN buffers
net_send() is meant to release the refcount for the SYN buffer once a connection is established, but this assumes that the application uses net_send() for all outgoing buffers. It is possible to setup a connection (and therefore generate an outgoing SYN) by calling net_context_tcp_init(), which has the side-effect of overwriting connection_status . Using such an API would then break the assumption around net_send() reclaiming the refcount of the SYN buf. A test case which exposes the problem: * As a client, setup a connection with an HTTP server. * Send an HTTP request contained in a buf using net_send() * The server responds, and then tears down the connection. * The test client then re-establishes another connection using net_context_tcp_init()--this overwrites connection_status, causing a refcount leak. With this change, we remove the dependency on net_send() being called. Change-Id: I96516cbca3e231ed7fb509a7c03c0ceebf80e03a Signed-off-by: Rohit Grover <rohit.grover@arm.com>
This commit is contained in:
Rohit Grover
Anas Nashif
parent
627feb92d4
commit
f809c84de2
1 changed files with 2 additions and 3 deletions
|
|
@ -1916,9 +1916,8 @@ uip_process(struct net_buf **buf_out, uint8_t flag)
|
|||
net_context_set_connection_status(ip_buf_context(uip_connr->buf),
|
||||
EISCONN);
|
||||
|
||||
/* Eventually the uip_connr->buf will be freed
|
||||
* by net_core.c:net_send()
|
||||
*/
|
||||
ip_buf_unref(uip_connr->buf);
|
||||
uip_connr->buf = NULL;
|
||||
|
||||
tcp_cancel_retrans_timer(uip_connr);
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue