<p>laforge has uploaded this change for <strong>review</strong>.</p><p><a href="https://gerrit.osmocom.org/c/osmo-bts/+/26351">View Change</a></p><pre style="font-family: monospace,monospace; white-space: pre-wrap;">cbch: Fix dangling cur_msg leading to double-free in bts_cbch_reset()<br><br>If a new default message is installed via RSL, and the old default<br>message is currently being transmitted, we must set cur_msg to NULL.<br><br>The old default message must be talloc_free()d unconditionally whenever<br>a new default message is being set.<br><br>We can do that by using the TALLOC_FREE macro.<br><br>Change-Id: Id32c2074b61cd1f09957b9d1558ffb3a7691a8e0<br>Closes: OS#5325<br>---<br>M src/common/cbch.c<br>1 file changed, 3 insertions(+), 3 deletions(-)<br><br></pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;">git pull ssh://gerrit.osmocom.org:29418/osmo-bts refs/changes/51/26351/1</pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;"><span>diff --git a/src/common/cbch.c b/src/common/cbch.c</span><br><span>index addd68c..4677480 100644</span><br><span>--- a/src/common/cbch.c</span><br><span>+++ b/src/common/cbch.c</span><br><span>@@ -233,10 +233,10 @@</span><br><span>          rate_ctr_inc2(bts_ss->ctrs, CBCH_CTR_RCVD_QUEUED);</span><br><span>                break;</span><br><span>       case RSL_CB_CMD_TYPE_DEFAULT:</span><br><span style="color: hsl(0, 100%, 40%);">-           /* old default msg will be free'd in get_smscb_block() if it is currently in transit</span><br><span style="color: hsl(0, 100%, 40%);">-                 * and we set a new default_msg here */</span><br><span style="color: hsl(120, 100%, 40%);">+               /* clear the cur_msg pointer if it is the old default message */</span><br><span>             if (bts_ss->cur_msg && bts_ss->cur_msg == bts_ss->default_msg)</span><br><span style="color: hsl(0, 100%, 40%);">-                 talloc_free(bts_ss->cur_msg);</span><br><span style="color: hsl(120, 100%, 40%);">+                      bts_ss->cur_msg = NULL;</span><br><span style="color: hsl(120, 100%, 40%);">+            talloc_free(bts_ss->default_msg);</span><br><span>                 if (cmd_type.def_bcast == RSL_CB_CMD_DEFBCAST_NORMAL)</span><br><span>                        /* def_bcast == 0: normal message */</span><br><span>                         bts_ss->default_msg = scm;</span><br><span></span><br></pre><p>To view, visit <a href="https://gerrit.osmocom.org/c/osmo-bts/+/26351">change 26351</a>. To unsubscribe, or for help writing mail filters, visit <a href="https://gerrit.osmocom.org/settings">settings</a>.</p><div itemscope itemtype="http://schema.org/EmailMessage"><div itemscope itemprop="action" itemtype="http://schema.org/ViewAction"><link itemprop="url" href="https://gerrit.osmocom.org/c/osmo-bts/+/26351"/><meta itemprop="name" content="View Change"/></div></div>

<div style="display:none"> Gerrit-Project: osmo-bts </div>
<div style="display:none"> Gerrit-Branch: master </div>
<div style="display:none"> Gerrit-Change-Id: Id32c2074b61cd1f09957b9d1558ffb3a7691a8e0 </div>
<div style="display:none"> Gerrit-Change-Number: 26351 </div>
<div style="display:none"> Gerrit-PatchSet: 1 </div>
<div style="display:none"> Gerrit-Owner: laforge <laforge@osmocom.org> </div>
<div style="display:none"> Gerrit-MessageType: newchange </div>