[Feature Request][Nimble] detect and prevent os_mbuf use-after-free (IDFGH-10196)

[chipweinberger]

Is your feature request related to a problem?

See issue: https://github.com/espressif/esp-idf/issues/11450

When a user submits a block that was already freed, it causes an incredibly tricky to debug infinite loop. This is easy to accidentally trigger & and very hard to debug -- we ought to prevent this.

Below is some code that triggers such an issue

BAD CODE. DONT USE. (does not re-call ble_hs_mbuf_from_flat after ble_gattc_indicate_custom)

    // loop get txom
    do{
        txom = ble_hs_mbuf_from_flat(msg, msgLen);
        if (txom == NULL){
            vTaskDelay(10 / portTICK_PERIOD_MS);
            if (millis() - tStart > 4000){
                pd_err_fail(error, TAG , "timed out (4 secs) waiting for BLE resources - ""B");
                return;
            }
        }
    } while (txom == NULL);
    
    // loop send indication
    int rc = 0;
    do {
        rc = ble_gattc_indicate_custom(gapConnHandle, attrHandle, txom);
        if (rc == BLE_HS_ENOMEM){
            vTaskDelay(10 / portTICK_PERIOD_MS);
            if (millis() - tStart > 4000){
                pd_err_fail(error, TAG , "timed out (4 secs) waiting for BLE resources - ""C");
                return;
            }
        }
    }while (rc == BLE_HS_ENOMEM);

Describe the solution you'd like.

ble_gattc_indicate_custom should check if the os_mbuf is not currently in the free pool.

A simple way to do this would be a flag in os_mbuf. i.e. os_mbuf->is_in_freepool, which gets set to true when freed with os_mbuf_free and false when returned by os_msys_get_pkthdr or similar. We'd check that om->is_in_freepool is false in in ble_gattc_indicate_custom.

[chipweinberger]

@rahult-github @IshaESP @RoshanESP

[therealergo]

@chipweinberger This might be worth reporting to the Apache Nimble team here instead (although there are a lot of open unanswered bugs there).