From c4d78e642206761d12dfa594f79afe2920756c4b Mon Sep 17 00:00:00 2001 From: Sylvain Rochet Date: Wed, 20 Jan 2016 21:12:37 +0100 Subject: [PATCH] PPP, PPPoL2TP, fix double free of L2TP pcb in pppol2tp_create error path ppp_free() calls the low level protocol destroy function, pppol2tp_destroy() here, which freed the l2tp pcb, followed by pppol2tp_create which also freed the pcb. Fixing it by reordering the L2TP init so we don't have to call ppp_free() anymore. Signed-off-by: Sylvain Rochet --- src/netif/ppp/pppol2tp.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/src/netif/ppp/pppol2tp.c b/src/netif/ppp/pppol2tp.c index 3d7754e7..bbef5770 100644 --- a/src/netif/ppp/pppol2tp.c +++ b/src/netif/ppp/pppol2tp.c @@ -129,11 +129,6 @@ ppp_pcb *pppol2tp_create(struct netif *pppif, goto memp_malloc_l2tp_failed; } - ppp = ppp_new(pppif, &pppol2tp_callbacks, l2tp, link_status_cb, ctx_cb); - if (ppp == NULL) { - goto ppp_new_failed; - } - #if LWIP_IPV6 if (IP_IS_V6_VAL(*ipaddr)) { udp = udp_new_ip6(); @@ -145,6 +140,11 @@ ppp_pcb *pppol2tp_create(struct netif *pppif, } udp_recv(udp, pppol2tp_input, l2tp); + ppp = ppp_new(pppif, &pppol2tp_callbacks, l2tp, link_status_cb, ctx_cb); + if (ppp == NULL) { + goto ppp_new_failed; + } + memset(l2tp, 0, sizeof(pppol2tp_pcb)); l2tp->phase = PPPOL2TP_STATE_INITIAL; l2tp->ppp = ppp; @@ -159,9 +159,9 @@ ppp_pcb *pppol2tp_create(struct netif *pppif, return ppp; -udp_new_failed: - ppp_free(ppp); ppp_new_failed: + udp_remove(udp); +udp_new_failed: memp_free(MEMP_PPPOL2TP_PCB, l2tp); memp_malloc_l2tp_failed: ipaddr_check_failed: