From b0f2129143e335adc6c285dfcd687cd7455a7491 Mon Sep 17 00:00:00 2001
From: Benjamin Valentin <benjamin.valentin@ml-pa.com>
Date: Mon, 11 Nov 2024 14:43:29 +0100
Subject: [PATCH] sys/net/gnrc_pktbuf_static: add double free detection

---
 sys/net/gnrc/pktbuf_static/gnrc_pktbuf_static.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/sys/net/gnrc/pktbuf_static/gnrc_pktbuf_static.c b/sys/net/gnrc/pktbuf_static/gnrc_pktbuf_static.c
index 3c98e8a61df39..b22db012f17f4 100644
--- a/sys/net/gnrc/pktbuf_static/gnrc_pktbuf_static.c
+++ b/sys/net/gnrc/pktbuf_static/gnrc_pktbuf_static.c
@@ -438,6 +438,10 @@ static void *_pktbuf_alloc(size_t size)
 #endif
         assert(0);
     }
+    if (CONFIG_GNRC_PKTBUF_CHECK_USE_AFTER_FREE) {
+        /* clear out canary */
+        memset(ptr, ~CANARY, size);
+    }
 
     return (void *)ptr;
 }
@@ -469,6 +473,12 @@ void gnrc_pktbuf_free_internal(void *data, size_t size)
     }
 
     if (CONFIG_GNRC_PKTBUF_CHECK_USE_AFTER_FREE) {
+        /* check if the data has already been marked as free */
+        size_t chk_len = _align(size) - sizeof(*new);
+        if (chk_len && !memchk((uint8_t *)data + sizeof(*new), CANARY, chk_len)) {
+            puts("pktbuf: double free detected!");
+            DEBUG_BREAKPOINT(2);
+        }
         memset(data, CANARY, _align(size));
     }