From 05a68332f6685851f4e877b35bd9d41e6a25e407 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ole=20Andr=C3=A9=20Vadla=20Ravn=C3=A5s?= <oleavr@gmail.com>
Date: Fri, 12 Jul 2024 00:05:34 +0200
Subject: [PATCH] network-stack: Fix TcpConnection use-after-free

When lwIP notifies us about the PCB being closed or an error, we must
clear its user data so any future callbacks don't end up using the
TcpConnection after it's gone.
---
 src/fruity/network-stack.vala | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/src/fruity/network-stack.vala b/src/fruity/network-stack.vala
index 83732d20d..c19979be7 100644
--- a/src/fruity/network-stack.vala
+++ b/src/fruity/network-stack.vala
@@ -499,6 +499,11 @@ namespace Frida.Fruity {
 				});
 			}
 
+			private void detach_from_pcb () {
+				pcb.set_user_data (null);
+				pcb = null;
+			}
+
 			private void on_connect () {
 				lock (state)
 					tx_space_available = pcb.query_available_send_buffer_space ();
@@ -516,7 +521,7 @@ namespace Frida.Fruity {
 
 			private void on_recv (owned LWIP.PacketBuffer? pbuf, LWIP.ErrorCode err) {
 				if (pbuf == null) {
-					pcb = null;
+					detach_from_pcb ();
 					schedule_on_frida_thread (() => {
 						_state = CLOSED;
 						update_events ();
@@ -539,7 +544,7 @@ namespace Frida.Fruity {
 			}
 
 			private void on_error (LWIP.ErrorCode err) {
-				pcb = null;
+				detach_from_pcb ();
 				schedule_on_frida_thread (() => {
 					_state = CLOSED;
 					update_events ();