Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

gnrc_ipv6: fix double-free when pinging TNT loopback address [backport 2024.01] #20320

Merged
merged 1 commit into from
Feb 2, 2024
Merged

gnrc_ipv6: fix double-free when pinging TNT loopback address [backport 2024.01] #20320

merged 1 commit into from
Feb 2, 2024

Conversation

MrKevinWeiss
Copy link
Contributor

Backport of #20309

Contribution description

This PR provides a fix for a double-free in gnrc_ipv6.
This occurs because the _safe_fill_ipv6_hdr function already calls gnrc_pktbuf_release. Therefore, calling it again in _send_to_self crashes the devices

Testing procedure

Try pinging to a TNT loopback address. Without this PR, it crashes:

2024-01-29 12:01:44,285 # ping 2001:67c:254:b0c1:204:2519:1801:bddb
2024-01-29 12:01:44,286 # 8841
2024-01-29 12:01:44,288 # *** RIOT kernel panic:
2024-01-29 12:01:44,290 # FAILED ASSERTION.
2024-01-29 12:01:44,290 # 
2024-01-29 12:01:44,299 # 	pid | name                 | state    Q | pri | stack  ( used) ( free) | base addr  | current     
2024-01-29 12:01:44,308 # 	 - | isr_stack            | -        - |   - |    512 (  348) (  164) | 0x20000000 | 0x200001b8
2024-01-29 12:01:44,317 # 	 1 | main                 | pending  Q |   7 |   1536 (  740) (  796) | 0x20000490 | 0x200007ac 
2024-01-29 12:01:44,326 # 	 2 | pktdump              | bl rx    _ |   6 |   1472 (  184) ( 1288) | 0x2000319c | 0x200036a4 
2024-01-29 12:01:44,335 # 	 3 | 6lo                  | bl rx    _ |   3 |    960 (  364) (  596) | 0x200041c0 | 0x2000449c 
2024-01-29 12:01:44,344 # 	 4 | ipv6                 | running  Q |   4 |    960 (  660) (  300) | 0x20000bac | 0x20000e8c 
2024-01-29 12:01:44,353 # 	 5 | udp                  | bl rx    _ |   5 |    448 (  216) (  232) | 0x200045c4 | 0x200046ac 
2024-01-29 12:01:44,362 # 	 6 | at86rf2xx            | bl anyfl _ |   2 |    896 (  424) (  472) | 0x20001390 | 0x20001644 
2024-01-29 12:01:44,371 # 	 7 | RPL                  | bl rx    _ |   5 |   1024 (  216) (  808) | 0x200037b4 | 0x20003adc 
2024-01-29 12:01:44,378 # 	   | SUM                  |            |     |   7808 ( 3152) ( 4656)
2024-01-29 12:01:44,378 # 
2024-01-29 12:01:44,379 # *** halted.
2024-01-29 12:01:44,379 # 
2024-01-29 12:01:44,379 # 
2024-01-29 12:01:44,381 # Context before hardfault:
2024-01-29 12:01:44,383 #    r0: 0x0000000a
2024-01-29 12:01:44,384 #    r1: 0x00000000
2024-01-29 12:01:44,386 #    r2: 0x00000000
2024-01-29 12:01:44,388 #    r3: 0x00000000
2024-01-29 12:01:44,389 #   r12: 0x00000046
2024-01-29 12:01:44,391 #    lr: 0x000010df
2024-01-29 12:01:44,393 #    pc: 0x00001aac
2024-01-29 12:01:44,394 #   psr: 0x41000000
2024-01-29 12:01:44,394 # 
2024-01-29 12:01:44,395 # Misc
2024-01-29 12:01:44,397 # EXC_RET: 0xfffffffd
2024-01-29 12:01:44,399 # Active thread: 4 "ipv6"
2024-01-29 12:01:44,403 # Attempting to reconstruct state for debugging...
2024-01-29 12:01:44,404 # In GDB:
2024-01-29 12:01:44,405 #   set $pc=0x1aac
2024-01-29 12:01:44,406 #   frame 0
2024-01-29 12:01:44,407 #   bt
2024-01-29 12:01:44,407 # 
2024-01-29 12:01:44,411 # ISR stack overflowed by at least 8 bytes.
2024-01-29 12:01:44,412 # Inside isr -13

Issues/PRs references

I can confirm this issue has been there since 2019.10 at least.

@MrKevinWeiss MrKevinWeiss added Area: network Area: Networking Area: sys Area: System CI: ready for build If set, CI server will compile all applications for all available boards for the labeled PR Process: release backport Integration Process: The PR is a release backport of a change previously provided to master Type: bug The issue reports a bug / The PR fixes a bug (including spelling errors) labels Jan 31, 2024
@MrKevinWeiss MrKevinWeiss requested a review from benpicco January 31, 2024 12:30
@riot-ci
Copy link

riot-ci commented Jan 31, 2024
edited
Loading

Murdock results

✔️ PASSED

63ae3b3 gnrc_ipv6: fix double free when pinging TNT loopback address

Success Failures Total Runtime
8628 0 8629 08m:53s

Artifacts

@benpicco benpicco enabled auto-merge January 31, 2024 21:25
@benpicco benpicco added this pull request to the merge queue Feb 1, 2024
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to failed status checks Feb 1, 2024
@benpicco benpicco added this pull request to the merge queue Feb 2, 2024
Merged via the queue into RIOT-OS:2024.01-branch with commit bba5968 Feb 2, 2024
31 checks passed
@MrKevinWeiss MrKevinWeiss deleted the backport/2024.01/pr/fix_tnt_loopback branch February 6, 2024 10:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@benpicco benpicco benpicco approved these changes

@miri64 miri64 Awaiting requested review from miri64 miri64 is a code owner

@PeterKietzmann PeterKietzmann Awaiting requested review from PeterKietzmann PeterKietzmann is a code owner

Assignees
No one assigned
Labels
Area: network Area: Networking Area: sys Area: System CI: ready for build If set, CI server will compile all applications for all available boards for the labeled PR Process: release backport Integration Process: The PR is a release backport of a change previously provided to master Type: bug The issue reports a bug / The PR fixes a bug (including spelling errors)
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@MrKevinWeiss @riot-ci @benpicco @jia200x