From 476139064f471de4978eb0e0831c8eeea376f329 Mon Sep 17 00:00:00 2001
From: Kevin Schoedel <67607049+kpschoedel@users.noreply.github.com>
Date: Fri, 5 Nov 2021 11:03:59 -0400
Subject: [PATCH] Fix potential leak in TCPEndPoint::LwIPHandleDataReceived
 (#11447)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

#### Problem

`TCPEndPoint::LwIPHandleDataReceived()` receives a packet buffer and,
in the normal case, forwards its ownership via `PostEvent()`. If that
fails, `LwIPHandleDataReceived()` is responsible for freeing the pbuf,
but doesn't.

From LwIP documentation, “If the callback function returns ERR_OK or
ERR_ABRT it must have freed the pbuf”.

#### Change overview

Call `pbuf_free()` if `PostEvent()` fails.

#### Testing

None; we don't have any way to instrument LwIP to verify this.
---
 src/inet/TCPEndPoint.cpp | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/inet/TCPEndPoint.cpp b/src/inet/TCPEndPoint.cpp
index 91c70fdc686505..7c31e74e8e8e99 100644
--- a/src/inet/TCPEndPoint.cpp
+++ b/src/inet/TCPEndPoint.cpp
@@ -1086,7 +1086,13 @@ err_t TCPEndPoint::LwIPHandleDataReceived(void * arg, struct tcp_pcb * tpcb, str
         res = ERR_ABRT;
 
     if (res != ERR_OK)
+    {
+        if (p != nullptr)
+        {
+            pbuf_free(p);
+        }
         tcp_abort(tpcb);
+    }
 
     return res;
 }