Zephyr TCP Null Pointer Dereference Vulnerability Due to Race Condition

A null pointer dereference vulnerability has been identified in the Zephyr TCP implementation, specifically in versions through 4.3. This issue arises from a race condition during the teardown of TCP connections. When a connection is released, its context is set to NULL, but packets can still be processed by the `tcp_recv()` function. If `tcp_conn_search()` returns NULL while handling a SYN packet, a NULL pointer derived from outdated context data is passed to `tcp_backlog_is_full()`, where it is dereferenced without proper validation, leading to a crash.

Impact

Exploitation of this vulnerability causes a null pointer dereference, resulting in a crash of the application.

Reproduction

The vulnerability can be reproduced by sending a SYN packet to a TCP connection that is in the process of being released. The `tcp_recv()` function will attempt to process the packet, but if the connection has already been cleared, it will create a null pointer from stale data. This pointer is then passed to `tcp_backlog_is_full()`, where it is dereferenced without any checks, causing a crash.