pespin submitted this change.

View Change

Approvals: Jenkins Builder: Verified pespin: Looks good to me, approved 
lapdm: Take talloc msgb ownership when enqueueing it

Otherwise the msg talloc reference is kept parented at some unknown
pointer in some unknown upper layer, which may cause memory corruption
or use-after-free.

Change-Id: Iba7b11bd9541c883588f34df67fdd865d72710d7
Related: OS#6728
---
M src/gsm/lapdm.c
1 file changed, 4 insertions(+), 0 deletions(-)

diff --git a/src/gsm/lapdm.c b/src/gsm/lapdm.c
index 61ea535..f725b44 100644
--- a/src/gsm/lapdm.c
+++ b/src/gsm/lapdm.c
@@ -376,6 +376,8 @@
 		*msgb_push(msg, 1) = pad;
 		*msgb_push(msg, 1) = link_id;
 		*msgb_push(msg, 1) = chan_nr;
+		/* Take ownership of msg, since we are keeping it around in this layer: */
+		talloc_steal(tall_lapd_ctx, msg);
 		msgb_enqueue(&dl->dl.tx_queue, msg);
 		return 0;
 	}
@@ -403,6 +405,8 @@
 		*msgb_push(msg, 1) = pad;
 		*msgb_push(msg, 1) = link_id;
 		*msgb_push(msg, 1) = chan_nr;
+		/* Take ownership of msg, since we are keeping it around in this layer: */
+		talloc_steal(tall_lapd_ctx, msg);
 		msgb_enqueue(&dl->tx_ui_queue, msg);
 		return 0;
 	}

To view, visit change 39808. To unsubscribe, or for help writing mail filters, visit settings.

Gerrit-MessageType: merged
Gerrit-Project: libosmocore
Gerrit-Branch: master
Gerrit-Change-Id: Iba7b11bd9541c883588f34df67fdd865d72710d7
Gerrit-Change-Number: 39808
Gerrit-PatchSet: 3
Gerrit-Owner: pespin <pespin@sysmocom.de>
Gerrit-Reviewer: Jenkins Builder
Gerrit-Reviewer: fixeria <vyanitskiy@sysmocom.de>
Gerrit-Reviewer: laforge <laforge@osmocom.org>
Gerrit-Reviewer: pespin <pespin@sysmocom.de>