NET: prevent tcp_connect callback from being double freed. From Max Holtzberg.

nuttx/ChangeLog

@@ -6420,3 +6420,5 @@
 	  Extended from logic provided by Jason Jiang.  Enabled with
 	  CONFIG_NET_SOLINGER.  At this point, it has only been verified that
 	  the changes does not seem to do any harm (2014-1-13).
+	* net/connect.c and net/uip/uip_callback.c: prevent tcp_connect
+	  callback from being double freed.  From Max Holtzberg (2014-1-13).

nuttx/net/connect.c

@@ -138,6 +138,8 @@ static inline void tcp_teardown_callbacks(struct tcp_connect_s *pstate,
 
   uip_tcpcallbackfree(conn, pstate->tc_cb);
 
+  pstate->tc_cb = NULL;
+
   /* If we successfully connected, we will continue to monitor the connection
    * state via callbacks.
    */

nuttx/net/net_close.c

@@ -91,7 +91,7 @@ struct tcp_close_s
  *   Check for a timeout on a lingering close.
  *
  * Parameters:
- *   pstate   send state structure
+ *   pstate - close state structure
  *
  * Returned Value:
  *   TRUE:timeout FALSE:no timeout
@@ -310,7 +310,7 @@ static inline int netclose_disconnect(FAR struct socket *psock)
            * enabled.
            */
 
-          state.cl_cb->priv  = (void*)&state;
+          state.cl_cb->priv  = (FAR void *)&state;
 
           /* Set up for the lingering wait */
 

nuttx/net/uip/uip_callback.c

@@ -161,9 +161,22 @@ void uip_callbackfree(FAR struct uip_callback_s *cb, FAR struct uip_callback_s *
 
   if (cb)
     {
+      save = uip_lock();
+
+#ifdef CONFIG_DEBUG
+      /* Check for double freed callbacks */
+
+      curr = g_cbfreelist;
+
+      while (curr != NULL)
+        {
+          DEBUGASSERT(cb != curr);
+          curr = curr->flink;
+        }
+#endif
+
       /* Find the callback structure in the connection's list */
 
-      save = uip_lock();
       if (list)
         {
           for (prev = NULL, curr = *list;