pespin has uploaded this change for review.

View Change

lapdm: Move queue initialization to specific init function

Otherwise the msg talloc reference is kept parented at some unknown
pointer in some unknown upper layer, which may cause memory corruption
or use-after-free.

Change-Id: I9c73f3aa5cc39d298296a82a99fbaf234b0ebe99
Related: OS#6728
---
M src/gsm/lapdm.c
1 file changed, 1 insertion(+), 1 deletion(-)

git pull ssh://gerrit.osmocom.org:29418/libosmocore refs/changes/12/39812/1
diff --git a/src/gsm/lapdm.c b/src/gsm/lapdm.c
index 8f7db90..74e0736 100644
--- a/src/gsm/lapdm.c
+++ b/src/gsm/lapdm.c
@@ -136,6 +136,7 @@
 			  const char *name)
 {
 	memset(dl, 0, sizeof(*dl));
+	INIT_LLIST_HEAD(&dl->tx_ui_queue);
 	dl->entity = entity;
 	lapd_dl_init2(&dl->dl, 1, 8, 251, name); /* Section 5.8.5 of TS 04.06 */
 	dl->dl.reestablish = 0; /* GSM uses no reestablish */
@@ -200,7 +201,6 @@
 			lapdm_dl_init(&le->datalink[i], le, (t200_ms) ? t200_ms[i] : 0, n200, name);
 		} else
 			lapdm_dl_init(&le->datalink[i], le, (t200_ms) ? t200_ms[i] : 0, n200, NULL);
-		INIT_LLIST_HEAD(&le->datalink[i].tx_ui_queue);
 	}
 
 	lapdm_entity_set_mode(le, mode);

To view, visit change 39812. To unsubscribe, or for help writing mail filters, visit settings.

Gerrit-MessageType: newchange
Gerrit-Project: libosmocore
Gerrit-Branch: master
Gerrit-Change-Id: I9c73f3aa5cc39d298296a82a99fbaf234b0ebe99
Gerrit-Change-Number: 39812
Gerrit-PatchSet: 1
Gerrit-Owner: pespin <pespin@sysmocom.de>