patch: fix of double free bug
Holger Freyther
zecke at selfish.org
Tue Nov 17 09:58:45 CET 2009
On Monday 16 November 2009 18:52:31 Andreas.Eversberg wrote:
> this patch fixes double free of paging request.
>
> the function paging_T3113_expired() must call paging_remove_request()
> first. then the cbfn may be called. the cbfn function cannot eventually
> remove the paging request again, because it is not in the list anymore.
>
> the result of paging timeout was a crash.
>
> diff --git a/openbsc/src/paging.c b/openbsc/src/paging.c
> index 5a9643c..164a08b 100644
> --- a/openbsc/src/paging.c
> +++ b/openbsc/src/paging.c
> @@ -224,11 +243,13 @@ static void paging_T3113_expired(void *data)
> sig_data.bts = req->bts;
> sig_data.lchan = NULL;
>
> + /* must be destroyed before calling cbfn, to prevent double free
> */
> + paging_remove_request(&req->bts->paging, req);
> +
> dispatch_signal(SS_PAGING, S_PAGING_COMPLETED, &sig_data);
> if (req->cbfn)
> req->cbfn(GSM_HOOK_RR_PAGING, GSM_PAGING_EXPIRED, NULL,
> NULL,
> req->cbfn_param);
Ack, this has one issue though... "req" now points to freed memory. We will
need to put a copy of the callback and the data somewhere before calling the
callback. I'm doing this right now.
z.
More information about the OpenBSC
mailing list