matanp has submitted this change. ( https://gerrit.osmocom.org/c/osmo-msc/+/40852?usp=email ) Change subject: silent_call: Fix use after free of paging request ...................................................................... silent_call: Fix use after free of paging request Before this change trans->paging_request was not assigned correctly. In some cases it caused trans_free to not call paging_request_remove. If the paging timeouts, paging_cb_silent would call trans_free again with a stale pointer. Change-Id: I93913d189800d71f82c013b6e946bd63db362f65 --- M src/libmsc/silent_call.c 1 file changed, 3 insertions(+), 2 deletions(-) Approvals: fixeria: Looks good to me, but someone else must approve Jenkins Builder: Verified laforge: Looks good to me, approved diff --git a/src/libmsc/silent_call.c b/src/libmsc/silent_call.c index a59e3af..c450fdc 100644 --- a/src/libmsc/silent_call.c +++ b/src/libmsc/silent_call.c @@ -152,8 +152,9 @@ } trans->silent_call.from_vty = vty; - if (!paging_request_start(vsub, PAGING_CAUSE_CALL_BACKGROUND, paging_cb_silent, trans, - "establish silent call")) { + trans->paging_request = paging_request_start(vsub, PAGING_CAUSE_CALL_BACKGROUND, paging_cb_silent, trans, + "establish silent call"); + if (!trans->paging_request) { trans_free(trans); return -ENODEV; } -- To view, visit https://gerrit.osmocom.org/c/osmo-msc/+/40852?usp=email To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings?usp=email Gerrit-MessageType: merged Gerrit-Project: osmo-msc Gerrit-Branch: master Gerrit-Change-Id: I93913d189800d71f82c013b6e946bd63db362f65 Gerrit-Change-Number: 40852 Gerrit-PatchSet: 2 Gerrit-Owner: matanp <matan1008(a)gmail.com> Gerrit-Reviewer: Jenkins Builder Gerrit-Reviewer: fixeria <vyanitskiy(a)sysmocom.de> Gerrit-Reviewer: laforge <laforge(a)osmocom.org> Gerrit-Reviewer: matanp <matan1008(a)gmail.com>