Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Double Free Issue Report #6

Closed
GANGE666 opened this issue May 11, 2021 · 3 comments
Closed

Double Free Issue Report #6

GANGE666 opened this issue May 11, 2021 · 3 comments

Comments

@GANGE666
Copy link

I found a security issue in picoTCP v1.7.0 and picoTCP-NG v2.1. It's a double free bug in function pico_fragments_reassemble (Line 362 and Line 364 in modules/pico_fragments.c ).

In function pico_transport_receive, when the switch goes into a default branch, it would release f (Line 239 in stack/pico_stack.c) and return -1. However, after -1 have been return from pico_transport_receive(full, proto) (Line 362 in modules/pico_fragments.c), another pico_frame_discard(full)(Line 364 in modules/pico_fragments.c) would be called and pico_frame_discard release full again. This leads a double free bug.
@danielinux danielinux mentioned this issue May 11, 2021
Merged
@danielinux
Copy link
Member

Thanks for reporting @GANGE666 ! A PR has been submitted.

@danielinux
Copy link
Member

PR merged. Closing...

@liu-yichen-github
Copy link

Could you provide an example that triggered this issue,Thank You.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@danielinux @GANGE666 @liu-yichen-github