<p>laforge <strong>merged</strong> this change.</p><p><a href="https://gerrit.osmocom.org/c/osmo-remsim/+/14907">View Change</a></p><div style="white-space:pre-wrap">Approvals:
  Jenkins Builder: Verified
  laforge: Looks good to me, approved

</div><pre style="font-family: monospace,monospace; white-space: pre-wrap;">rspro_client_fsm/remsim_client: Fix double-free<br><br>respro_dec_msg() takes ownership of the input msgb in both<br>successful and unsuccessful cases, so we must not call talloc_free<br>on the resulting msgb.<br><br>Change-Id: Id54d1b73395da1329a998d213c190da49eb90a93<br>---<br>M src/remsim_client.c<br>M src/rspro_client_fsm.c<br>M src/simtrace2-remsim_client.c<br>3 files changed, 5 insertions(+), 2 deletions(-)<br><br></pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;"><span>diff --git a/src/remsim_client.c b/src/remsim_client.c</span><br><span>index 88ac4cd..e73fcc4 100644</span><br><span>--- a/src/remsim_client.c</span><br><span>+++ b/src/remsim_client.c</span><br><span>@@ -90,6 +90,7 @@</span><br><span>             default:</span><br><span>                     break;</span><br><span>               }</span><br><span style="color: hsl(120, 100%, 40%);">+             msgb_free(msg);</span><br><span>              break;</span><br><span>       case IPAC_PROTO_OSMO:</span><br><span>                if (!he || msgb_l2len(msg) < sizeof(*he))</span><br><span>diff --git a/src/rspro_client_fsm.c b/src/rspro_client_fsm.c</span><br><span>index 768c15f..06364da 100644</span><br><span>--- a/src/rspro_client_fsm.c</span><br><span>+++ b/src/rspro_client_fsm.c</span><br><span>@@ -130,6 +130,7 @@</span><br><span>                      break;</span><br><span>               default:</span><br><span>                     break;</span><br><span style="color: hsl(120, 100%, 40%);">+                msgb_free(msg);</span><br><span>              }</span><br><span>            break;</span><br><span>       case IPAC_PROTO_OSMO:</span><br><span>@@ -139,6 +140,8 @@</span><br><span>          switch (he->proto) {</span><br><span>              case IPAC_PROTO_EXT_RSPRO:</span><br><span>                   LOGPFSM(srvc->fi, "Received RSPRO %s\n", msgb_hexdump(msg));</span><br><span style="color: hsl(120, 100%, 40%);">+                     /* respro_dec_msg() takes ownership of the input message buffer in successful</span><br><span style="color: hsl(120, 100%, 40%);">+                  * and unsuccessful cases */</span><br><span>                         pdu = rspro_dec_msg(msg);</span><br><span>                    if (!pdu)</span><br><span>                            goto invalid;</span><br><span>@@ -152,7 +155,6 @@</span><br><span>  default:</span><br><span>             goto invalid;</span><br><span>        }</span><br><span style="color: hsl(0, 100%, 40%);">-       msgb_free(msg);</span><br><span>      return rc;</span><br><span> </span><br><span> invalid:</span><br><span>diff --git a/src/simtrace2-remsim_client.c b/src/simtrace2-remsim_client.c</span><br><span>index 04aa0c6..094773f 100644</span><br><span>--- a/src/simtrace2-remsim_client.c</span><br><span>+++ b/src/simtrace2-remsim_client.c</span><br><span>@@ -578,6 +578,7 @@</span><br><span> </span><br><span> static int bankd_handle_msg(struct bankd_client *bc, struct msgb *msg)</span><br><span> {</span><br><span style="color: hsl(120, 100%, 40%);">+  /* rspro_dec_msg takes ownership of msgb and talloc_free()s it in successful and unsuccessful case */</span><br><span>        RsproPDU_t *pdu = rspro_dec_msg(msg);</span><br><span>        if (!pdu) {</span><br><span>          LOGPFSML(bc->bankd_fi, LOGL_ERROR, "Error decoding PDU\n");</span><br><span>@@ -627,7 +628,6 @@</span><br><span>       LOGPFSML(bc->bankd_fi, LOGL_DEBUG, "Received RSPRO %s\n", msgb_hexdump(msg));</span><br><span> </span><br><span>       rc = bankd_handle_msg(bc, msg);</span><br><span style="color: hsl(0, 100%, 40%);">- msgb_free(msg);</span><br><span>      return rc;</span><br><span> </span><br><span> invalid:</span><br><span></span><br></pre><p>To view, visit <a href="https://gerrit.osmocom.org/c/osmo-remsim/+/14907">change 14907</a>. To unsubscribe, or for help writing mail filters, visit <a href="https://gerrit.osmocom.org/settings">settings</a>.</p><div itemscope itemtype="http://schema.org/EmailMessage"><div itemscope itemprop="action" itemtype="http://schema.org/ViewAction"><link itemprop="url" href="https://gerrit.osmocom.org/c/osmo-remsim/+/14907"/><meta itemprop="name" content="View Change"/></div></div>

<div style="display:none"> Gerrit-Project: osmo-remsim </div>
<div style="display:none"> Gerrit-Branch: master </div>
<div style="display:none"> Gerrit-Change-Id: Id54d1b73395da1329a998d213c190da49eb90a93 </div>
<div style="display:none"> Gerrit-Change-Number: 14907 </div>
<div style="display:none"> Gerrit-PatchSet: 1 </div>
<div style="display:none"> Gerrit-Owner: laforge <laforge@gnumonks.org> </div>
<div style="display:none"> Gerrit-Reviewer: Jenkins Builder </div>
<div style="display:none"> Gerrit-Reviewer: laforge <laforge@gnumonks.org> </div>
<div style="display:none"> Gerrit-MessageType: merged </div>