gnrc_ipv6: fix double-free when pinging TNT loopback address

[jia200x]

Contribution description

This PR provides a fix for a double-free in gnrc_ipv6.
This occurs because the _safe_fill_ipv6_hdr function already calls gnrc_pktbuf_release. Therefore, calling it again in _send_to_self crashes the devices

Testing procedure

Try pinging to a TNT loopback address. Without this PR, it crashes:

2024-01-29 12:01:44,285 # ping 2001:67c:254:b0c1:204:2519:1801:bddb
2024-01-29 12:01:44,286 # 8841
2024-01-29 12:01:44,288 # *** RIOT kernel panic:
2024-01-29 12:01:44,290 # FAILED ASSERTION.
2024-01-29 12:01:44,290 # 
2024-01-29 12:01:44,299 # 	pid | name                 | state    Q | pri | stack  ( used) ( free) | base addr  | current     
2024-01-29 12:01:44,308 # 	 - | isr_stack            | -        - |   - |    512 (  348) (  164) | 0x20000000 | 0x200001b8
2024-01-29 12:01:44,317 # 	 1 | main                 | pending  Q |   7 |   1536 (  740) (  796) | 0x20000490 | 0x200007ac 
2024-01-29 12:01:44,326 # 	 2 | pktdump              | bl rx    _ |   6 |   1472 (  184) ( 1288) | 0x2000319c | 0x200036a4 
2024-01-29 12:01:44,335 # 	 3 | 6lo                  | bl rx    _ |   3 |    960 (  364) (  596) | 0x200041c0 | 0x2000449c 
2024-01-29 12:01:44,344 # 	 4 | ipv6                 | running  Q |   4 |    960 (  660) (  300) | 0x20000bac | 0x20000e8c 
2024-01-29 12:01:44,353 # 	 5 | udp                  | bl rx    _ |   5 |    448 (  216) (  232) | 0x200045c4 | 0x200046ac 
2024-01-29 12:01:44,362 # 	 6 | at86rf2xx            | bl anyfl _ |   2 |    896 (  424) (  472) | 0x20001390 | 0x20001644 
2024-01-29 12:01:44,371 # 	 7 | RPL                  | bl rx    _ |   5 |   1024 (  216) (  808) | 0x200037b4 | 0x20003adc 
2024-01-29 12:01:44,378 # 	   | SUM                  |            |     |   7808 ( 3152) ( 4656)
2024-01-29 12:01:44,378 # 
2024-01-29 12:01:44,379 # *** halted.
2024-01-29 12:01:44,379 # 
2024-01-29 12:01:44,379 # 
2024-01-29 12:01:44,381 # Context before hardfault:
2024-01-29 12:01:44,383 #    r0: 0x0000000a
2024-01-29 12:01:44,384 #    r1: 0x00000000
2024-01-29 12:01:44,386 #    r2: 0x00000000
2024-01-29 12:01:44,388 #    r3: 0x00000000
2024-01-29 12:01:44,389 #   r12: 0x00000046
2024-01-29 12:01:44,391 #    lr: 0x000010df
2024-01-29 12:01:44,393 #    pc: 0x00001aac
2024-01-29 12:01:44,394 #   psr: 0x41000000
2024-01-29 12:01:44,394 # 
2024-01-29 12:01:44,395 # Misc
2024-01-29 12:01:44,397 # EXC_RET: 0xfffffffd
2024-01-29 12:01:44,399 # Active thread: 4 "ipv6"
2024-01-29 12:01:44,403 # Attempting to reconstruct state for debugging...
2024-01-29 12:01:44,404 # In GDB:
2024-01-29 12:01:44,405 #   set $pc=0x1aac
2024-01-29 12:01:44,406 #   frame 0
2024-01-29 12:01:44,407 #   bt
2024-01-29 12:01:44,407 # 
2024-01-29 12:01:44,411 # ISR stack overflowed by at least 8 bytes.
2024-01-29 12:01:44,412 # Inside isr -13

Issues/PRs references

I can confirm this issue has been there since 2019.10 at least.

[MrKevinWeiss]

ping @miri64 should be easy to logic this but it would be good to have a quick look.

[riot-ci]

Murdock results

✔️ PASSED

8dc5e91 gnrc_ipv6: fix double free when pinging TNT loopback address

Success	Failures	Total	Runtime
8629	0	8629	11m:02s

Artifacts

• Documentation preview

[benpicco]

It's just the way you said. I checked the other callers of _safe_fill_ipv6_hdr() and they all behave correctly.

[miri64]

Could we also maybe have a test case for this? This can be done as a follow-up.

[MrKevinWeiss]

ping @jia200x maybe we can work on this at Hack'n'ACK?