pespin submitted this change.
lapd: Take talloc msgb ownership when enqueueing it
Otherwise the msg talloc reference is kept parented at some unknown
pointer in some unknown upper layer, which may cause memory corruption
or use-after-free.
Related: OS#6728
Change-Id: I32729060b5a18576310b3789da522f4392d9611e
---
M src/isdn/lapd_core.c
1 file changed, 2 insertions(+), 0 deletions(-)
diff --git a/src/isdn/lapd_core.c b/src/isdn/lapd_core.c
index b32ed26..caaf092 100644
--- a/src/isdn/lapd_core.c
+++ b/src/isdn/lapd_core.c
@@ -1922,6 +1922,8 @@
LOGDL(dl, LOGL_INFO, "writing message to send-queue: l3len: %d\n", msgb_l3len(msg));
+ /* Take ownership of msg, since we are keeping it around in this layer: */
+ talloc_steal(tall_lapd_ctx, msg);
/* Write data into the send queue */
msgb_enqueue(&dl->send_queue, msg);
To view, visit change 39807. To unsubscribe, or for help writing mail filters, visit settings.