While pppac(4) destroy sessions by pipex_iface_fini() or by
pipex_ioctl() with PIPEXSMODE command, some sessions can be linked to
`state_list'. This case is not checked and sessions will never be
unlinked and `state_list' will be broken after session's memory freeing.
Diff below adds session removal from `state_list' in
pipex_unlink_session(). Also unlinked session `state' sets to
PIPEX_STATE_CLOSED like pipex_close_session() does.
Index: sys/net/pipex.c
===================================================================
RCS file: /cvs/src/sys/net/pipex.c,v
retrieving revision 1.115
diff -u -p -r1.115 pipex.c
--- sys/net/pipex.c 18 Jun 2020 14:20:12 -0000 1.115
+++ sys/net/pipex.c 18 Jun 2020 16:37:44 -0000
@@ -473,8 +473,10 @@ pipex_unlink_session(struct pipex_sessio
break;
}
#endif
-
+ if (session->state == PIPEX_STATE_CLOSE_WAIT)
+ LIST_REMOVE(session, state_list);
LIST_REMOVE(session, session_list);
+ session->state = PIPEX_STATE_CLOSED;
/* if final session is destroyed, stop timer */
if (LIST_EMPTY(&pipex_session_list))
