Change in osmo-bts[master]: cbch: Fix bts_smscb_state_reset() to avoid double-free

historical

laforge has submitted this change. ( https://gerrit.osmocom.org/c/osmo-bts/+/26355 )

Change subject: cbch: Fix bts_smscb_state_reset() to avoid double-free
......................................................................

cbch: Fix bts_smscb_state_reset() to avoid double-free

If the currently transmitted message is the default message,
bts_ss->cur_msg == bts_ss->derfault_msg.  In this case we cannot
simply talloc_free() both of them, as it would result in a boudle-free.

Change-Id: I2d3645e34d31507b012a53ffe12d14223682f808
Closes: OS#5325
Fixes: Ib01d38c59ba9fa083fcc0682009c13d2db3664fe
---
M src/common/cbch.c
1 file changed, 4 insertions(+), 1 deletion(-)

Approvals:
  Jenkins Builder: Verified
  laforge: Looks good to me, approved; Verified

diff --git a/src/common/cbch.c b/src/common/cbch.c
index addd68c..a3e1296 100644
--- a/src/common/cbch.c
+++ b/src/common/cbch.c
@@ -332,7 +332,10 @@
 	}
 	bts_ss->queue_len = 0;
 	rate_ctr_group_reset(bts_ss->ctrs);
-	TALLOC_FREE(bts_ss->cur_msg);
+	/* avoid double-free of default_msg in case cur_msg == default_msg */
+	if (bts_ss->cur_msg && bts_ss->cur_msg != bts_ss->default_msg)
+		talloc_free(bts_ss->cur_msg);
+	bts_ss->cur_msg = NULL;
 	TALLOC_FREE(bts_ss->default_msg);
 }
 

-- 
To view, visit https://gerrit.osmocom.org/c/osmo-bts/+/26355
To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings

Gerrit-Project: osmo-bts
Gerrit-Branch: master
Gerrit-Change-Id: I2d3645e34d31507b012a53ffe12d14223682f808
Gerrit-Change-Number: 26355
Gerrit-PatchSet: 1
Gerrit-Owner: laforge <laforge at osmocom.org>
Gerrit-Reviewer: Jenkins Builder
Gerrit-Reviewer: laforge <laforge at osmocom.org>
Gerrit-MessageType: merged
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osmocom.org/pipermail/gerrit-log/attachments/20211124/41f1d3b6/attachment.htm>
