Author: cmihail Date: Mon Jun 20 14:49:58 2011 New Revision: 52385 URL: http://svn.reactos.org/svn/reactos?rev=52385&view=rev Log: [lwIP] Fix the nasty crash on socket closure bug. The bug was due to corrupting memory by wrongly assuming the LISTEN pcb had send, receive and error callbacks. Modified: branches/GSoC_2011/TcpIpDriver/lib/drivers/lwip/src/rostcp.c Modified: branches/GSoC_2011/TcpIpDriver/lib/drivers/lwip/src/rostcp.c URL: http://svn.reactos.org/svn/reactos/branches/GSoC_2011/TcpIpDriver/lib/drive… ============================================================================== --- branches/GSoC_2011/TcpIpDriver/lib/drivers/lwip/src/rostcp.c [iso-8859-1] (original) +++ branches/GSoC_2011/TcpIpDriver/lib/drivers/lwip/src/rostcp.c [iso-8859-1] Mon Jun 20 14:49:58 2011 @@ -330,20 +330,16 @@ LibTCPListenCallback(void *arg) { struct listen_callback_msg *msg = arg; - void *p; ASSERT(msg); DbgPrint("[lwIP, LibTCPListenCallback] Called\n"); - - p = msg->Pcb->callback_arg; + msg->NewPcb = tcp_listen_with_backlog(msg->Pcb, msg->Backlog); if (msg->NewPcb) { - tcp_arg(msg->NewPcb, p); tcp_accept(msg->NewPcb, InternalAcceptEventHandler); - tcp_err(msg->NewPcb, InternalErrorEventHandler); } DbgPrint("[lwIP, LibTCPListenCallback] Done\n"); @@ -641,9 +637,18 @@ DbgPrint("[lwIP, LibTCPClose] pcb->state = %s\n", tcp_state_str[pcb->state]); tcp_arg(pcb, NULL); - tcp_recv(pcb, NULL); - tcp_sent(pcb, NULL); - tcp_err(pcb, NULL); + + /* + if this pcb is not in LISTEN state than it has + valid recv, send and err callbacks to cancel + */ + if (pcb->state != LISTEN) + { + tcp_recv(pcb, NULL); + tcp_sent(pcb, NULL); + tcp_err(pcb, NULL); + } + tcp_accept(pcb, NULL); DbgPrint("[lwIP, LibTCPClose] Attempting to allocate memory for msg\n");