Hi, On Thu, Oct 29, 2015 at 08:06:30PM +0530, Dinesh Pandey wrote: > Looks like I found the cause of 'my' loop. > > I was calling tcp_close twice on a TCP PCB. > > The memp_free routine simply puts the TCP PCB at the head of the linked > list. If memp_free is called twice with the same TCP PCB, the first element > starts to points back to itself. > > When a new TCP connection is created, the memp_alloc will returns this > looped member and you will end up with looped PCB linked list.
Indeed, this is actually a use after free security hole. Sylvain
signature.asc
Description: Digital signature
_______________________________________________ lwip-users mailing list [email protected] https://lists.nongnu.org/mailman/listinfo/lwip-users
