4 Jul
2022
4 Jul
'22
1:52 p.m.
fixeria has uploaded this change for review. (
https://gerrit.osmocom.org/c/libosmocore/+/28517 )
Change subject: gb: fix uninitialized ptr access in bssgp_encode_rim_pdu()
......................................................................
gb: fix uninitialized ptr access in bssgp_encode_rim_pdu()
Jumping to label 'error' before allocating memory and storing an
address to pointer 'rim_cont_buf' would result in passing garbage
to talloc_free(). Found with clang 14.
Change-Id: I9420615b64d3755fd9131e8561c516c39f83a15b
---
M src/gb/gprs_bssgp_rim.c
1 file changed, 4 insertions(+), 4 deletions(-)
git pull ssh://gerrit.osmocom.org:29418/libosmocore refs/changes/17/28517/1
diff --git a/src/gb/gprs_bssgp_rim.c b/src/gb/gprs_bssgp_rim.c
index 63b303e..71f7ea8 100644
--- a/src/gb/gprs_bssgp_rim.c
+++ b/src/gb/gprs_bssgp_rim.c
@@ -1064,7 +1064,6 @@
struct msgb *msg = bssgp_msgb_alloc();
struct bssgp_normal_hdr *bgph;
uint8_t rim_ri_buf[BSSGP_RIM_ROUTING_INFO_MAXLEN];
- uint8_t *rim_cont_buf;
int rc;
if (!msg)
@@ -1105,7 +1104,7 @@
/* Put RIM container */
if (pdu->decoded_present) {
- rim_cont_buf = talloc_zero_size(msg, msg->data_len);
+ uint8_t *rim_cont_buf = talloc_zero_size(msg, msg->data_len);
if (!rim_cont_buf)
goto error;
@@ -1130,8 +1129,10 @@
/* The API user must set the iei properly! */
OSMO_ASSERT(false);
}
- if (rc < 0)
+ if (rc < 0) {
+ talloc_free(rim_cont_buf);
goto error;
+ }
msgb_tvlv_put(msg, pdu->rim_cont_iei, rc, rim_cont_buf);
talloc_free(rim_cont_buf);
@@ -1143,7 +1144,6 @@
return msg;
error:
- talloc_free(rim_cont_buf);
msgb_free(msg);
return 0;
}
--
To view, visit https://gerrit.osmocom.org/c/libosmocore/+/28517
To unsubscribe, or for help writing mail filters, visit
https://gerrit.osmocom.org/settings
Gerrit-Project: libosmocore
Gerrit-Branch: master
Gerrit-Change-Id: I9420615b64d3755fd9131e8561c516c39f83a15b
Gerrit-Change-Number: 28517
Gerrit-PatchSet: 1
Gerrit-Owner: fixeria <vyanitskiy(a)sysmocom.de>
Gerrit-MessageType: newchange