From 62c44138da19a8cd9b100b3050c9697a80d8866f Mon Sep 17 00:00:00 2001
From: Dirk Ziegelmeier <dirk@ziegelmeier.net>
Date: Thu, 23 Feb 2017 16:55:14 +0100
Subject: [PATCH] Improve pbuf refcount underflow check by checking the local
 variable on the stack that was assigned in a protected region The old code
 was vulnerable to race conditions since it checked ref to be >0 without locks

---
 src/core/pbuf.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/core/pbuf.c b/src/core/pbuf.c
index 9f35ec6a..470a6230 100644
--- a/src/core/pbuf.c
+++ b/src/core/pbuf.c
@@ -743,17 +743,17 @@ pbuf_free(struct pbuf *p)
   /* de-allocate all consecutive pbufs from the head of the chain that
    * obtain a zero reference count after decrementing*/
   while (p != NULL) {
-    u16_t ref;
+    LWIP_PBUF_REF_T ref;
     SYS_ARCH_DECL_PROTECT(old_level);
     /* Since decrementing ref cannot be guaranteed to be a single machine operation
      * we must protect it. We put the new ref into a local variable to prevent
      * further protection. */
     SYS_ARCH_PROTECT(old_level);
-    /* all pbufs in a chain are referenced at least once */
-    LWIP_ASSERT("pbuf_free: p->ref > 0", p->ref > 0);
     /* decrease reference count (number of pointers to pbuf) */
     ref = --(p->ref);
     SYS_ARCH_UNPROTECT(old_level);
+    /* Check for refcount underflow */
+    LWIP_ASSERT("pbuf_free: p->ref >= 0", ref >= 0);
     /* this pbuf is no longer referenced to? */
     if (ref == 0) {
       /* remember next pbuf in chain for next iteration */