<p>Pau Espin Pedrol <strong>merged</strong> this change.</p><p><a href="https://gerrit.osmocom.org/13837">View Change</a></p><div style="white-space:pre-wrap">Approvals:
Holger Freyther: Looks good to me, approved
Harald Welte: Looks good to me, approved
Jenkins Builder: Verified
</div><pre style="font-family: monospace,monospace; white-space: pre-wrap;">nat: Fix crash (double-free) in forward_sccp_to_msc<br><br>In bsc_nat_parse(), parsed is allocated this way:<br>"""parsed = talloc_zero(msg, struct bsc_nat_parsed);"""<br>So parsed is a child of msg, and so it's freed when msg is freed.<br><br>Since libosmocore c7f52c4c84d6a8898048738c4db9266289c40b45,<br>osmo_wqueue_enqueue() correctly detects queue full and returns an error,<br>and then queue_for_msc() calls msgb_free(). Code in osmo-bsc-nat was<br>probably written before that change in behavior, so that's why probably<br>the bug was not hit before.<br><br>The "if (parsed)" condition is removed since it's actually fine to<br>talloc_free(NULL).<br><br>Related: SYS#4548<br>Change-Id: I209d3e2d809a67915ec43c874e68f7f746a565f0<br>---<br>M openbsc/src/osmo-bsc_nat/bsc_nat.c<br>1 file changed, 2 insertions(+), 2 deletions(-)<br><br></pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;"><span>diff --git a/openbsc/src/osmo-bsc_nat/bsc_nat.c b/openbsc/src/osmo-bsc_nat/bsc_nat.c</span><br><span>index c97483a..30e4b34 100644</span><br><span>--- a/openbsc/src/osmo-bsc_nat/bsc_nat.c</span><br><span>+++ b/openbsc/src/osmo-bsc_nat/bsc_nat.c</span><br><span>@@ -1281,9 +1281,9 @@</span><br><span> }</span><br><span> </span><br><span> /* send the non-filtered but maybe modified msg */</span><br><span style="color: hsl(120, 100%, 40%);">+ talloc_free(parsed);</span><br><span> queue_for_msc(con_msc, msg);</span><br><span style="color: hsl(0, 100%, 40%);">- if (parsed)</span><br><span style="color: hsl(0, 100%, 40%);">- talloc_free(parsed);</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span> return 0;</span><br><span> </span><br><span> exit:</span><br><span></span><br></pre><p>To view, visit <a href="https://gerrit.osmocom.org/13837">change 13837</a>. To unsubscribe, or for help writing mail filters, visit <a href="https://gerrit.osmocom.org/settings">settings</a>.</p><div itemscope itemtype="http://schema.org/EmailMessage"><div itemscope itemprop="action" itemtype="http://schema.org/ViewAction"><link itemprop="url" href="https://gerrit.osmocom.org/13837"/><meta itemprop="name" content="View Change"/></div></div>
<div style="display:none"> Gerrit-Project: openbsc </div>
<div style="display:none"> Gerrit-Branch: master </div>
<div style="display:none"> Gerrit-MessageType: merged </div>
<div style="display:none"> Gerrit-Change-Id: I209d3e2d809a67915ec43c874e68f7f746a565f0 </div>
<div style="display:none"> Gerrit-Change-Number: 13837 </div>
<div style="display:none"> Gerrit-PatchSet: 4 </div>
<div style="display:none"> Gerrit-Owner: Pau Espin Pedrol <pespin@sysmocom.de> </div>
<div style="display:none"> Gerrit-Reviewer: Daniel Willmann <dwillmann@sysmocom.de> </div>
<div style="display:none"> Gerrit-Reviewer: Harald Welte <laforge@gnumonks.org> </div>
<div style="display:none"> Gerrit-Reviewer: Holger Freyther <holger@freyther.de> </div>
<div style="display:none"> Gerrit-Reviewer: Jenkins Builder (1000002) </div>
<div style="display:none"> Gerrit-Reviewer: Pau Espin Pedrol <pespin@sysmocom.de> </div>