fruity: Fix use-after-free in TcpConnection

The error callback might be called at a point where the PCB has already been freed. This meant that us clearing its user data would result in a use-after-free where a NULL pointer was written into the unknown. Co-authored-by: Ole André Vadla Ravnås <oleavr@gmail.com>
frida · Oct 14, 2024 · 2b0c4da · 2b0c4da
1 parent d012961
commit 2b0c4da
Showing 1 changed file with 5 additions and 1 deletion.
diff --git a/src/fruity/network-stack.vala b/src/fruity/network-stack.vala
@@ -559,7 +559,11 @@ namespace Frida.Fruity {
 			}
 
 			private void on_error (LWIP.ErrorCode err) {
-				detach_from_pcb ();
+				bool pcb_already_freed = err == ABRT;
+				if (pcb_already_freed)
+					pcb = null;
+				else
+					detach_from_pcb ();
 				schedule_on_frida_thread (() => {
 					_state = CLOSED;
 					update_events ();