Handle a leaked TCP pointer more gracefully (#41753)

gmarcosb · web-flow · commit a2f630de4e65 · 2025-11-04T18:43:50.000Z
* Handle a leaked TCP pointer more gracefully

This is ~ a use-after-free, i.e. someone keeping a pointer to a connection that has been closed &amp; not using HandleConnectionClosed to reset the pointer

A VerifyOrDie here does not help us track the culprit

* Fix CI build failure
diff --git a/src/transport/raw/TCP.cpp b/src/transport/raw/TCP.cpp
@@ -141,10 +141,9 @@ ActiveTCPConnectionState * TCPBase::AllocateConnection(const Inet::TCPEndPointHa
     {
         for (size_t i = 0; i < mActiveConnectionsSize; i++)
         {
-            if (!mActiveConnections[i].InUse())
+            ActiveTCPConnectionState * activeConnection = &mActiveConnections[i];
+            if (!activeConnection->InUse() && (activeConnection->GetReferenceCount() == 0))
             {
-                ActiveTCPConnectionState * activeConnection = &mActiveConnections[i];
-                VerifyOrDie(activeConnection->GetReferenceCount() == 0);
                 // Update state for the active connection
                 activeConnection->Init(endpoint, address, [this](auto & conn) { TCPDisconnect(conn, true); });
                 return activeConnection;
@@ -155,7 +154,14 @@ ActiveTCPConnectionState * TCPBase::AllocateConnection(const Inet::TCPEndPointHa
         // (i.e. that have a ref count of 0)
         for (size_t i = 0; i < mActiveConnectionsSize; i++)
         {
-            ActiveTCPConnectionHandle releaseUnclaimed(&mActiveConnections[i]);
+            ActiveTCPConnectionState * activeConnection = &mActiveConnections[i];
+            if (!activeConnection->InUse() && (activeConnection->GetReferenceCount() != 0))
+            {
+                char addrStr[Transport::PeerAddress::kMaxToStringSize];
+                activeConnection->mPeerAddr.ToString(addrStr);
+                ChipLogError(Inet, "Leaked TCP connection %p to %s.", activeConnection, addrStr);
+            }
+            ActiveTCPConnectionHandle releaseUnclaimed(activeConnection);
         }
     }
     return nullptr;

Original file line number	Diff line number	Diff line change
`@@ -141,10 +141,9 @@ ActiveTCPConnectionState * TCPBase::AllocateConnection(const Inet::TCPEndPointHa`
`141`	`141`	`{`
`142`	`142`	`for (size_t i = 0; i < mActiveConnectionsSize; i++)`
`143`	`143`	`{`
`144`		`- if (!mActiveConnections[i].InUse())`
	`144`	`+ ActiveTCPConnectionState * activeConnection = &mActiveConnections[i];`
	`145`	`+ if (!activeConnection->InUse() && (activeConnection->GetReferenceCount() == 0))`
`145`	`146`	`{`
`146`		`- ActiveTCPConnectionState * activeConnection = &mActiveConnections[i];`
`147`		`- VerifyOrDie(activeConnection->GetReferenceCount() == 0);`
`148`	`147`	`// Update state for the active connection`
`149`	`148`	`activeConnection->Init(endpoint, address, [this](auto & conn) { TCPDisconnect(conn, true); });`
`150`	`149`	`return activeConnection;`
`@@ -155,7 +154,14 @@ ActiveTCPConnectionState * TCPBase::AllocateConnection(const Inet::TCPEndPointHa`
`155`	`154`	`// (i.e. that have a ref count of 0)`
`156`	`155`	`for (size_t i = 0; i < mActiveConnectionsSize; i++)`
`157`	`156`	`{`
`158`		`- ActiveTCPConnectionHandle releaseUnclaimed(&mActiveConnections[i]);`
	`157`	`+ ActiveTCPConnectionState * activeConnection = &mActiveConnections[i];`
	`158`	`+ if (!activeConnection->InUse() && (activeConnection->GetReferenceCount() != 0))`
	`159`	`+ {`
	`160`	`+ char addrStr[Transport::PeerAddress::kMaxToStringSize];`
	`161`	`+ activeConnection->mPeerAddr.ToString(addrStr);`
	`162`	`+ ChipLogError(Inet, "Leaked TCP connection %p to %s.", activeConnection, addrStr);`
	`163`	`+ }`
	`164`	`+ ActiveTCPConnectionHandle releaseUnclaimed(activeConnection);`
`159`	`165`	`}`
`160`	`166`	`}`
`161`	`167`	`return nullptr;`