pespin has uploaded this change for review. ( https://gerrit.osmocom.org/c/osmo-cbc/+/28691 )
Change subject: sbcap_server: Fix double-free of rx msg if conn is destroyed ......................................................................
sbcap_server: Fix double-free of rx msg if conn is destroyed
In sbcap_cbc_read_cb(), if sctp_recvmsg() fails and we end up calling osmo_stream_srv_destroy(conn), then both conn and client will end up being freed by sbcap_cbc_closed_cb(), so we cannot use them anymore after calling osmo_stream_srv_destroy(conn). Furthermore, since msg was allocated with "client" ctx as parent, it would also be freed when "client" was freed. Let's make the logic easier and alloc it under g_cbc, which is guaranteed to always be kept there.
Change-Id: I201f44efa24a514e0087b6dcd01115b9b2b8e9db --- M src/sbcap_server.c 1 file changed, 1 insertion(+), 1 deletion(-)
git pull ssh://gerrit.osmocom.org:29418/osmo-cbc refs/changes/91/28691/1
diff --git a/src/sbcap_server.c b/src/sbcap_server.c index 56beae6..159fa89 100644 --- a/src/sbcap_server.c +++ b/src/sbcap_server.c @@ -59,7 +59,7 @@ struct osmo_sbcap_cbc *cbc = osmo_stream_srv_link_get_data(link); struct osmo_fd *ofd = osmo_stream_srv_get_ofd(conn); SBcAP_SBC_AP_PDU_t *pdu; - struct msgb *msg = msgb_alloc_c(client, 1500, "SBcAP-rx"); + struct msgb *msg = msgb_alloc_c(g_cbc, 1500, "SBcAP-rx"); struct sctp_sndrcvinfo sinfo; int flags = 0; int rc;