sys/net/gnrc_pktbuf: detect use after free if canary is in metadata

2024-12-29 04:50:03 +01:00 · 2024-11-14 15:28:32 +01:00 · 2024-11-14 15:28:32 +01:00 · 83f5b261a8
commit 83f5b261a8
parent ea1670ab0f
2 changed files with 15 additions and 0 deletions
--- a/sys/net/gnrc/pktbuf/gnrc_pktbuf.c
+++ b/sys/net/gnrc/pktbuf/gnrc_pktbuf.c
@ -93,6 +93,14 @@ void gnrc_pktbuf_release_error(gnrc_pktsnip_t *pkt, uint32_t err)
        assert(gnrc_pktbuf_contains(pkt));
        assert(pkt->users > 0);
        tmp = pkt->next;
+
+        /* if the memory was freed, memory has been overwritten by CANARY */
+        if (CONFIG_GNRC_PKTBUF_CHECK_USE_AFTER_FREE &&
+            pkt->users == GNRC_PKTBUF_CANARY) {
+            puts("gnrc_pktbuf: double free detected\n");
+            DEBUG_BREAKPOINT(3);
+        }
+
        if (pkt->users == 1) {
            pkt->users = 0; /* not necessary but to be on the safe side */
            if (!IS_USED(MODULE_GNRC_TX_SYNC)
--- a/sys/net/gnrc/pktbuf_static/gnrc_pktbuf_static.c
+++ b/sys/net/gnrc/pktbuf_static/gnrc_pktbuf_static.c
@ -218,6 +218,13 @@ gnrc_pktsnip_t *gnrc_pktbuf_start_write(gnrc_pktsnip_t *pkt)
        mutex_unlock(&gnrc_pktbuf_mutex);
        return NULL;
    }
+
+    if (CONFIG_GNRC_PKTBUF_CHECK_USE_AFTER_FREE &&
+        pkt->users == GNRC_PKTBUF_CANARY) {
+        puts("gnrc_pktbuf: use after free detected\n");
+        DEBUG_BREAKPOINT(3);
+    }
+
    if (pkt->users > 1) {
        gnrc_pktsnip_t *new;
        new = _create_snip(pkt->next, pkt->data, pkt->size, pkt->type);