lwip: Fix use-after-free memory corruption

Set *sem to NULL after free() otherwise calling sys_sem_set_invalid()
will cause us to write into a memory location that has potentially
either been reused for another allocation or contains freelist
metadata.

This manifested as malloc() corruption, because we
sys_sem_set_invalid() was overwriting malloc metadata used for
maintaining the freelist.

Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Eric W. Biederman <ebiederm@xmission.com>
Cc: Gene Cumm <gene.cumm@gmail.com>
Signed-off-by: Matt Fleming <matt.fleming@intel.com>

diff --git a/core/lwip/src/arch/sys_arch.c b/core/lwip/src/arch/sys_arch.c
index 5f8437e..894f6ad 100644 (file)
--- a/core/lwip/src/arch/sys_arch.c
+++ b/core/lwip/src/arch/sys_arch.c
@@ -25,6 +25,7 @@ void sys_sem_free(sys_sem_t *sem)
     if (!!sem && !!*sem) {
        sys_sem_set_invalid(sem);
        free(*sem);
+       *sem = NULL;
     }
 }