pespin has submitted this change. ( https://gerrit.osmocom.org/c/osmo-hnbgw/+/40276?usp=email )
(
3 is the latest approved patch-set. No files were changed between the latest approved patch-set and the submitted one. )Change subject: ps_rab_ass_fsm: Fix potential use-after-free if Tx RAB-ASS-RESP over SCCP fails ......................................................................
ps_rab_ass_fsm: Fix potential use-after-free if Tx RAB-ASS-RESP over SCCP fails
ps_rab_ass_failure() is already calling osmo_fsm_inst_term(rab_ass->fi(), which will free "fi" and its child talloc struct "rab_ass". Hence, return early as done everywher else in order to avoid accessing the struct again.
Change-Id: Id605f2b279a4d886399de27f6a94622ad7bf982b --- M src/osmo-hnbgw/ps_rab_ass_fsm.c 1 file changed, 1 insertion(+), 1 deletion(-)
Approvals: Jenkins Builder: Verified laforge: Looks good to me, approved osmith: Looks good to me, but someone else must approve
diff --git a/src/osmo-hnbgw/ps_rab_ass_fsm.c b/src/osmo-hnbgw/ps_rab_ass_fsm.c index 68bf58a..0e0971e 100644 --- a/src/osmo-hnbgw/ps_rab_ass_fsm.c +++ b/src/osmo-hnbgw/ps_rab_ass_fsm.c @@ -601,8 +601,8 @@ if (rc < 0) { LOG_PS_RAB_ASS(rab_ass, LOGL_ERROR, "Sending RANAP PS RAB-AssignmentResponse failed\n"); ps_rab_ass_failure(rab_ass); + return; } - /* The request message has been forwarded. We are done. */ osmo_fsm_inst_term(rab_ass->fi, OSMO_FSM_TERM_REGULAR, NULL); }