laforge has submitted this change. ( https://gerrit.osmocom.org/c/libosmocore/+/36121?usp=email )

Change subject: osmo_io: Assign const name when stealing TX msg from iofd ctx ......................................................................

osmo_io: Assign const name when stealing TX msg from iofd ctx

All TX messages are moved from iofd instance to the user's context. iofd may be destroyed, but the message is still available to the user. To prevent a use-after-free bug, the context name must be changed from iofd->name to a constant that does not belong to iofd.

Change-Id: Ib8dae924fa2d94a7f636136ba7279b965a18cf5b --- M src/core/osmo_io.c 1 file changed, 15 insertions(+), 3 deletions(-)

Approvals: Jenkins Builder: Verified pespin: Looks good to me, but someone else must approve laforge: Looks good to me, approved

diff --git a/src/core/osmo_io.c b/src/core/osmo_io.c index 7ea959b..33466e5 100644 --- a/src/core/osmo_io.c +++ b/src/core/osmo_io.c @@ -152,9 +152,7 @@ uint16_t headroom = iofd->msgb_alloc.headroom;

OSMO_ASSERT(iofd->msgb_alloc.size < 0xffff - headroom); - return msgb_alloc_headroom_c(iofd, - iofd->msgb_alloc.size + headroom, headroom, - iofd->name ? : "iofd_msgb"); + return msgb_alloc_headroom_c(iofd, iofd->msgb_alloc.size + headroom, headroom, "osmo_io_msgb"); }

/*! return the pending msgb in iofd or NULL if there is none*/