network-stack: Fix TcpConnection use-after-free

When lwIP notifies us about the PCB being closed or an error, we must clear its user data so any future callbacks don't end up using the TcpConnection after it's gone.
frida · Jul 11, 2024 · 05a6833 · 05a6833
1 parent 1352172
commit 05a6833
Showing 1 changed file with 7 additions and 2 deletions.
diff --git a/src/fruity/network-stack.vala b/src/fruity/network-stack.vala
@@ -499,6 +499,11 @@ namespace Frida.Fruity {
 				});
 			}
 
+			private void detach_from_pcb () {
+				pcb.set_user_data (null);
+				pcb = null;
+			}
+
 			private void on_connect () {
 				lock (state)
 					tx_space_available = pcb.query_available_send_buffer_space ();
@@ -516,7 +521,7 @@ namespace Frida.Fruity {
 
 			private void on_recv (owned LWIP.PacketBuffer? pbuf, LWIP.ErrorCode err) {
 				if (pbuf == null) {
-					pcb = null;
+					detach_from_pcb ();
 					schedule_on_frida_thread (() => {
 						_state = CLOSED;
 						update_events ();
@@ -539,7 +544,7 @@ namespace Frida.Fruity {
 			}
 
 			private void on_error (LWIP.ErrorCode err) {
-				pcb = null;
+				detach_from_pcb ();
 				schedule_on_frida_thread (() => {
 					_state = CLOSED;
 					update_events ();