This is an automated email from the ASF dual-hosted git repository.
janc pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/mynewt-nimble.git
The following commit(s) were added to refs/heads/master by this push:
new 6f36f8aa5 ll: Fix use after free in ble_ll_isoal_mux_free
6f36f8aa5 is described below
commit 6f36f8aa57ac1a597c18a5d628a27c81063c4d26
Author: Szymon Janc <[email protected]>
AuthorDate: Wed Nov 26 15:34:55 2025 +0100
ll: Fix use after free in ble_ll_isoal_mux_free
mbuf needs to be removed from pkthdr list before being freed. Otherwise
sdu_q list will operate on invalid data.
---
nimble/controller/src/ble_ll_isoal.c | 13 ++++---------
1 file changed, 4 insertions(+), 9 deletions(-)
diff --git a/nimble/controller/src/ble_ll_isoal.c
b/nimble/controller/src/ble_ll_isoal.c
index 2cb842aa4..f8c3d40fb 100644
--- a/nimble/controller/src/ble_ll_isoal.c
+++ b/nimble/controller/src/ble_ll_isoal.c
@@ -60,24 +60,19 @@ void
ble_ll_isoal_mux_free(struct ble_ll_isoal_mux *mux)
{
struct os_mbuf_pkthdr *pkthdr;
- struct os_mbuf *om;
- struct os_mbuf *om_next;
pkthdr = STAILQ_FIRST(&mux->sdu_q);
while (pkthdr) {
- om = OS_MBUF_PKTHDR_TO_MBUF(pkthdr);
+ /* remove from list before freeing om */
+ STAILQ_REMOVE_HEAD(&mux->sdu_q, omp_next);
- while (om) {
- om_next = SLIST_NEXT(om, om_next);
- os_mbuf_free(om);
- om = om_next;
- }
+ os_mbuf_free_chain(OS_MBUF_PKTHDR_TO_MBUF(pkthdr));
- STAILQ_REMOVE_HEAD(&mux->sdu_q, omp_next);
pkthdr = STAILQ_FIRST(&mux->sdu_q);
}
STAILQ_INIT(&mux->sdu_q);
+ mux->sdu_q_len = 0;
}
void
