pktbuf: Fix double free

The `forget()` call was on the (Copy, hence a warning that is being fixed) raw pointer instead of the underlying refcounted structure, leading to a double free.
RIOT-OS · Oct 14, 2023 · 1862792 · 1862792
1 parent 58bd86b
commit 1862792
Showing 1 changed file with 10 additions and 4 deletions.
diff --git a/src/gnrc/pktbuf.rs b/src/gnrc/pktbuf.rs
@@ -253,13 +253,19 @@ impl<'a> Pktsnip<Writable> {
         size: usize,
         nettype: gnrc_nettype_t,
     ) -> Result<Self, NotEnoughSpace> {
-        let next = next.map(|s| s.ptr).unwrap_or(0 as *mut _);
-        let snip =
-            unsafe { gnrc_pktbuf_add(next, data as *const _, size.try_into().unwrap(), nettype) };
+        let next_ptr = next.as_ref().map(|s| s.ptr).unwrap_or(0 as *mut _);
+        forget(next);
+        let snip = unsafe {
+            gnrc_pktbuf_add(
+                next_ptr,
+                data as *const _,
+                size.try_into().unwrap(),
+                nettype,
+            )
+        };
         if snip == 0 as *mut _ {
             return Err(NotEnoughSpace);
         }
-        forget(next);
         Ok(unsafe { Pktsnip::<Writable>::from_ptr(snip) })
     }