pespin submitted this change.

View Change

sbcap_server: Fix double-free of rx msg if conn is destroyed

In sbcap_cbc_read_cb(), if sctp_recvmsg() fails and we end up calling
osmo_stream_srv_destroy(conn), then both conn and client will end up
being freed by sbcap_cbc_closed_cb(), so we cannot use them anymore
after calling osmo_stream_srv_destroy(conn).
Furthermore, since msg was allocated with "client" ctx as parent, it
would also be freed when "client" was freed.
Let's make the logic easier and alloc it under g_cbc, which is
guaranteed to always be kept there.

Change-Id: I201f44efa24a514e0087b6dcd01115b9b2b8e9db
---
M src/sbcap_server.c
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/sbcap_server.c b/src/sbcap_server.c
index 56beae6..159fa89 100644
--- a/src/sbcap_server.c
+++ b/src/sbcap_server.c
@@ -59,7 +59,7 @@
 	struct osmo_sbcap_cbc *cbc = osmo_stream_srv_link_get_data(link);
 	struct osmo_fd *ofd = osmo_stream_srv_get_ofd(conn);
 	SBcAP_SBC_AP_PDU_t *pdu;
-	struct msgb *msg = msgb_alloc_c(client, 1500, "SBcAP-rx");
+	struct msgb *msg = msgb_alloc_c(g_cbc, 1500, "SBcAP-rx");
 	struct sctp_sndrcvinfo sinfo;
 	int flags = 0;
 	int rc;

To view, visit change 28691. To unsubscribe, or for help writing mail filters, visit settings.