pespin has uploaded this change for review.
sbcap_server: Fix double-free of rx msg if conn is destroyed
In sbcap_cbc_read_cb(), if sctp_recvmsg() fails and we end up calling
osmo_stream_srv_destroy(conn), then both conn and client will end up
being freed by sbcap_cbc_closed_cb(), so we cannot use them anymore
after calling osmo_stream_srv_destroy(conn).
Furthermore, since msg was allocated with "client" ctx as parent, it
would also be freed when "client" was freed.
Let's make the logic easier and alloc it under g_cbc, which is
guaranteed to always be kept there.
Change-Id: I201f44efa24a514e0087b6dcd01115b9b2b8e9db
---
M src/sbcap_server.c
1 file changed, 1 insertion(+), 1 deletion(-)
git pull ssh://gerrit.osmocom.org:29418/osmo-cbc refs/changes/91/28691/1
diff --git a/src/sbcap_server.c b/src/sbcap_server.c
index 56beae6..159fa89 100644
--- a/src/sbcap_server.c
+++ b/src/sbcap_server.c
@@ -59,7 +59,7 @@
struct osmo_sbcap_cbc *cbc = osmo_stream_srv_link_get_data(link);
struct osmo_fd *ofd = osmo_stream_srv_get_ofd(conn);
SBcAP_SBC_AP_PDU_t *pdu;
- struct msgb *msg = msgb_alloc_c(client, 1500, "SBcAP-rx");
+ struct msgb *msg = msgb_alloc_c(g_cbc, 1500, "SBcAP-rx");
struct sctp_sndrcvinfo sinfo;
int flags = 0;
int rc;
To view, visit change 28691. To unsubscribe, or for help writing mail filters, visit settings.