<p>laforge <strong>submitted</strong> this change.</p><p><a href="https://gerrit.osmocom.org/c/osmocom-bb/+/17302">View Change</a></p><div style="white-space:pre-wrap">Approvals:
Jenkins Builder: Verified
pespin: Looks good to me, but someone else must approve
laforge: Looks good to me, approved
</div><pre style="font-family: monospace,monospace; white-space: pre-wrap;">mobile/gsm322: fix use-after-free of cs->si reported by ASan<br><br>This pointer cs->si stores an address to the System Information of<br>a currently selected cell. When we release System Information,<br>ensure that it does not point to free()d memory.<br><br>Change-Id: Ife2ddf7274a48447a9ded9035f9dd01befaf2e6c<br>---<br>M src/host/layer23/src/mobile/gsm322.c<br>1 file changed, 7 insertions(+), 0 deletions(-)<br><br></pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;"><span>diff --git a/src/host/layer23/src/mobile/gsm322.c b/src/host/layer23/src/mobile/gsm322.c</span><br><span>index ddb3a77..cc4f0cd 100644</span><br><span>--- a/src/host/layer23/src/mobile/gsm322.c</span><br><span>+++ b/src/host/layer23/src/mobile/gsm322.c</span><br><span>@@ -2635,6 +2635,8 @@</span><br><span> if (cs->list[cs->arfci].sysinfo) {</span><br><span> LOGP(DCS, LOGL_DEBUG, "free sysinfo arfcn=%s\n",</span><br><span> gsm_print_arfcn(cs->arfcn));</span><br><span style="color: hsl(120, 100%, 40%);">+ if (cs->si == cs->list[cs->arfci].sysinfo)</span><br><span style="color: hsl(120, 100%, 40%);">+ cs->si = NULL;</span><br><span> talloc_free(cs->list[cs->arfci].sysinfo);</span><br><span> cs->list[cs->arfci].sysinfo = NULL;</span><br><span> }</span><br><span>@@ -2752,6 +2754,8 @@</span><br><span> if (cs->list[cs->arfci].sysinfo) {</span><br><span> LOGP(DCS, LOGL_DEBUG, "free sysinfo arfcn=%s\n",</span><br><span> gsm_print_arfcn(cs->arfcn));</span><br><span style="color: hsl(120, 100%, 40%);">+ if (cs->si == cs->list[cs->arfci].sysinfo)</span><br><span style="color: hsl(120, 100%, 40%);">+ cs->si = NULL;</span><br><span> talloc_free(cs->list[cs->arfci].sysinfo);</span><br><span> cs->list[cs->arfci].sysinfo = NULL;</span><br><span> }</span><br><span>@@ -2919,6 +2923,8 @@</span><br><span> cs->list[i].flags &= ~GSM322_CS_FLAG_SYSINFO;</span><br><span> LOGP(DCS, LOGL_DEBUG, "free sysinfo ARFCN=%s\n",</span><br><span> gsm_print_arfcn(index2arfcn(i)));</span><br><span style="color: hsl(120, 100%, 40%);">+ if (cs->si == cs->list[i].sysinfo)</span><br><span style="color: hsl(120, 100%, 40%);">+ cs->si = NULL;</span><br><span> talloc_free(cs->list[i].sysinfo);</span><br><span> cs->list[i].sysinfo = NULL;</span><br><span> }</span><br><span>@@ -5145,6 +5151,7 @@</span><br><span> gsm_print_arfcn(index2arfcn(i)));</span><br><span> talloc_free(cs->list[i].sysinfo);</span><br><span> cs->list[i].sysinfo = NULL;</span><br><span style="color: hsl(120, 100%, 40%);">+ cs->si = NULL;</span><br><span> }</span><br><span> cs->list[i].flags = 0;</span><br><span> }</span><br><span></span><br></pre><p>To view, visit <a href="https://gerrit.osmocom.org/c/osmocom-bb/+/17302">change 17302</a>. To unsubscribe, or for help writing mail filters, visit <a href="https://gerrit.osmocom.org/settings">settings</a>.</p><div itemscope itemtype="http://schema.org/EmailMessage"><div itemscope itemprop="action" itemtype="http://schema.org/ViewAction"><link itemprop="url" href="https://gerrit.osmocom.org/c/osmocom-bb/+/17302"/><meta itemprop="name" content="View Change"/></div></div>
<div style="display:none"> Gerrit-Project: osmocom-bb </div>
<div style="display:none"> Gerrit-Branch: master </div>
<div style="display:none"> Gerrit-Change-Id: Ife2ddf7274a48447a9ded9035f9dd01befaf2e6c </div>
<div style="display:none"> Gerrit-Change-Number: 17302 </div>
<div style="display:none"> Gerrit-PatchSet: 1 </div>
<div style="display:none"> Gerrit-Owner: Vadim Yanitskiy <axilirator@gmail.com> </div>
<div style="display:none"> Gerrit-Reviewer: Jenkins Builder </div>
<div style="display:none"> Gerrit-Reviewer: laforge <laforge@osmocom.org> </div>
<div style="display:none"> Gerrit-Reviewer: pespin <pespin@sysmocom.de> </div>
<div style="display:none"> Gerrit-MessageType: merged </div>