net: ppp: ip{,v6}cp: drop possible double free of nack_buf

When iterating though configuration options it is possible that we will fail to add data to nack_buf and hence unref it in error handling path. Just after that we will unref buf, which has nack_buf in its buffer chain. Drop code unrefing nack_buf and just go directly to unrefing buf. Signed-off-by: Marcin Niestroj <[email protected]>
bseazeng · Jan 7, 2020 · b3a8e7d · b3a8e7d
1 parent e0cf06f
commit b3a8e7d
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 26 deletions.
diff --git a/subsys/net/l2/ppp/ipcp.c b/subsys/net/l2/ppp/ipcp.c
@@ -160,7 +160,7 @@ static int ipcp_config_info_req(struct ppp_fsm *fsm,
 
 			nack_buf = ppp_get_net_buf(buf, nack_options[i].len);
 			if (!nack_buf) {
-				goto out_of_mem;
+				goto bail_out;
 			}
 
 			if (!buf) {
@@ -170,13 +170,13 @@ static int ipcp_config_info_req(struct ppp_fsm *fsm,
 			added = append_to_buf(nack_buf,
 					      &nack_options[i].type.ipcp, 1);
 			if (!added) {
-				goto out_of_mem;
+				goto bail_out;
 			}
 
 			added = append_to_buf(nack_buf, &nack_options[i].len,
 					      1);
 			if (!added) {
-				goto out_of_mem;
+				goto bail_out;
 			}
 
 			/* If there is some data, copy it to result buf */
@@ -185,18 +185,9 @@ static int ipcp_config_info_req(struct ppp_fsm *fsm,
 						nack_options[i].value.pos,
 						nack_options[i].len - 1 - 1);
 				if (!added) {
-					goto out_of_mem;
+					goto bail_out;
 				}
 			}
-
-			continue;
-
-		out_of_mem:
-			if (nack_buf) {
-				net_buf_unref(nack_buf);
-			}
-
-			goto bail_out;
 		}
 	} else {
 		struct ppp_context *ctx;

diff --git a/subsys/net/l2/ppp/ipv6cp.c b/subsys/net/l2/ppp/ipv6cp.c
@@ -156,7 +156,7 @@ static int ipv6cp_config_info_req(struct ppp_fsm *fsm,
 
 			nack_buf = ppp_get_net_buf(buf, nack_options[i].len);
 			if (!nack_buf) {
-				goto out_of_mem;
+				goto bail_out;
 			}
 
 			if (!buf) {
@@ -166,13 +166,13 @@ static int ipv6cp_config_info_req(struct ppp_fsm *fsm,
 			added = append_to_buf(nack_buf,
 					      &nack_options[i].type.ipv6cp, 1);
 			if (!added) {
-				goto out_of_mem;
+				goto bail_out;
 			}
 
 			added = append_to_buf(nack_buf, &nack_options[i].len,
 					      1);
 			if (!added) {
-				goto out_of_mem;
+				goto bail_out;
 			}
 
 			/* If there is some data, copy it to result buf */
@@ -181,18 +181,9 @@ static int ipv6cp_config_info_req(struct ppp_fsm *fsm,
 						nack_options[i].value.pos,
 						nack_options[i].len - 1 - 1);
 				if (!added) {
-					goto out_of_mem;
+					goto bail_out;
 				}
 			}
-
-			continue;
-
-		out_of_mem:
-			if (nack_buf) {
-				net_buf_unref(nack_buf);
-			}
-
-			goto bail_out;
 		}
 	} else {
 		u8_t iface_id[PPP_INTERFACE_IDENTIFIER_LEN];