Double Free Issue Report

Question

Double Free Issue Report

Closed this issue 4 years ago · 3 comments

I found a security issue in picoTCP v1.7.0 and picoTCP-NG v2.1. It's a double free bug in function pico_fragments_reassemble (Line 362 and Line 364 in modules/pico_fragments.c ).

In function pico_transport_receive, when the switch goes into a default branch, it would release f (Line 239 in stack/pico_stack.c) and return -1. However, after -1 have been return from pico_transport_receive(full, proto) (Line 362 in modules/pico_fragments.c), another pico_frame_discard(full)(Line 364 in modules/pico_fragments.c) would be called and pico_frame_discard release full again. This leads a double free bug.

Answer 1 · 2021-05-11T14:57:56.000Z

Thanks for reporting @GANGE666 ! A PR has been submitted.

Answer 2 · 2021-05-12T13:11:57.000Z

PR merged. Closing...

Answer 3 · 2023-04-03T02:11:23.000Z

Could you provide an example that triggered this issue，Thank You.