This is merely a historical archive of years 2008-2021, before the migration to mailman3.
A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/gerrit-log@lists.osmocom.org/.
Pau Espin Pedrol gerrit-no-reply at lists.osmocom.orgPau Espin Pedrol has submitted this change and it was merged. ( https://gerrit.osmocom.org/13837 ) Change subject: nat: Fix crash (double-free) in forward_sccp_to_msc ...................................................................... nat: Fix crash (double-free) in forward_sccp_to_msc In bsc_nat_parse(), parsed is allocated this way: """parsed = talloc_zero(msg, struct bsc_nat_parsed);""" So parsed is a child of msg, and so it's freed when msg is freed. Since libosmocore c7f52c4c84d6a8898048738c4db9266289c40b45, osmo_wqueue_enqueue() correctly detects queue full and returns an error, and then queue_for_msc() calls msgb_free(). Code in osmo-bsc-nat was probably written before that change in behavior, so that's why probably the bug was not hit before. The "if (parsed)" condition is removed since it's actually fine to talloc_free(NULL). Related: SYS#4548 Change-Id: I209d3e2d809a67915ec43c874e68f7f746a565f0 --- M openbsc/src/osmo-bsc_nat/bsc_nat.c 1 file changed, 2 insertions(+), 2 deletions(-) Approvals: Holger Freyther: Looks good to me, approved Harald Welte: Looks good to me, approved Jenkins Builder: Verified diff --git a/openbsc/src/osmo-bsc_nat/bsc_nat.c b/openbsc/src/osmo-bsc_nat/bsc_nat.c index c97483a..30e4b34 100644 --- a/openbsc/src/osmo-bsc_nat/bsc_nat.c +++ b/openbsc/src/osmo-bsc_nat/bsc_nat.c @@ -1281,9 +1281,9 @@ } /* send the non-filtered but maybe modified msg */ + talloc_free(parsed); queue_for_msc(con_msc, msg); - if (parsed) - talloc_free(parsed); + return 0; exit: -- To view, visit https://gerrit.osmocom.org/13837 To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings Gerrit-Project: openbsc Gerrit-Branch: master Gerrit-MessageType: merged Gerrit-Change-Id: I209d3e2d809a67915ec43c874e68f7f746a565f0 Gerrit-Change-Number: 13837 Gerrit-PatchSet: 4 Gerrit-Owner: Pau Espin Pedrol <pespin at sysmocom.de> Gerrit-Reviewer: Daniel Willmann <dwillmann at sysmocom.de> Gerrit-Reviewer: Harald Welte <laforge at gnumonks.org> Gerrit-Reviewer: Holger Freyther <holger at freyther.de> Gerrit-Reviewer: Jenkins Builder (1000002) Gerrit-Reviewer: Pau Espin Pedrol <pespin at sysmocom.de> -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.osmocom.org/pipermail/gerrit-log/attachments/20190508/741224ed/attachment.htm>