[Slirp] [PATCH] libslirp: fix NULL pointer dereference in tcp_sockclosed
pannengyuan at huawei.com
pannengyuan at huawei.com
Mon Nov 25 01:20:52 UTC 2019
From: PanNengyuan <pannengyuan at huawei.com>
qemu crashes with a segfault (NULL pointer access in tcp_sockclosed),
tp = tcp_close(tp) will free tp and set tp to NULL, then tcp_output(tp)
access the null pointer(tp).
This fixes:
384 break;
385 }
CID 68914397: (NULL_RETURNS)
386. dereference: Dereferencing a pointer that might be "NULL"
"tp" when calling "tcp_output".
386 tcp_output(tp);
387}
Reported-by: Euler Robot <euler.robot at huawei.com>
Signed-off-by: PanNengyuan <pannengyuan at huawei.com>
---
src/tcp_subr.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/tcp_subr.c b/src/tcp_subr.c
index 2e32cb6..662f768 100644
--- a/src/tcp_subr.c
+++ b/src/tcp_subr.c
@@ -378,7 +378,7 @@ void tcp_sockclosed(struct tcpcb *tp)
case TCPS_SYN_SENT:
tp->t_state = TCPS_CLOSED;
tp = tcp_close(tp);
- break;
+ return;
case TCPS_SYN_RECEIVED:
case TCPS_ESTABLISHED:
--
2.7.2.windows.1
More information about the Slirp
mailing list