pespin has uploaded this change for review.

View Change

ps_rab_ass_fsm: Fix potential use-after-free if Tx RAB-ASS-RESP over SCCP fails

ps_rab_ass_failure() is already calling
osmo_fsm_inst_term(rab_ass->fi(), which will free "fi" and its child
talloc struct "rab_ass".
Hence, return early as done everywher else in order to avoid accessing
the struct again.

Change-Id: Id605f2b279a4d886399de27f6a94622ad7bf982b
---
M src/osmo-hnbgw/ps_rab_ass_fsm.c
1 file changed, 1 insertion(+), 1 deletion(-)

git pull ssh://gerrit.osmocom.org:29418/osmo-hnbgw refs/changes/76/40276/1
diff --git a/src/osmo-hnbgw/ps_rab_ass_fsm.c b/src/osmo-hnbgw/ps_rab_ass_fsm.c
index fc3b605..fc15fff 100644
--- a/src/osmo-hnbgw/ps_rab_ass_fsm.c
+++ b/src/osmo-hnbgw/ps_rab_ass_fsm.c
@@ -633,8 +633,8 @@
 	if (rc < 0) {
 		LOG_PS_RAB_ASS(rab_ass, LOGL_ERROR, "Sending RANAP PS RAB-AssignmentResponse failed\n");
 		ps_rab_ass_failure(rab_ass);
+		return;
 	}
-
 	/* The request message has been forwarded. We are done. */
 	osmo_fsm_inst_term(rab_ass->fi, OSMO_FSM_TERM_REGULAR, NULL);
 }

To view, visit change 40276. To unsubscribe, or for help writing mail filters, visit settings.

Gerrit-MessageType: newchange
Gerrit-Project: osmo-hnbgw
Gerrit-Branch: master
Gerrit-Change-Id: Id605f2b279a4d886399de27f6a94622ad7bf982b
Gerrit-Change-Number: 40276
Gerrit-PatchSet: 1
Gerrit-Owner: pespin <pespin@sysmocom.de>