[XS] Change in libosmocore[master]: lapd: Take talloc msgb ownership when enqueueing it - gerrit-log

17 Mar 2025

pespin has submitted this change. ( https://gerrit.osmocom.org/c/libosmocore/+/39807?usp=email )
Change subject: lapd: Take talloc msgb ownership when enqueueing it
......................................................................
lapd: Take talloc msgb ownership when enqueueing it
Otherwise the msg talloc reference is kept parented at some unknown
pointer in some unknown upper layer, which may cause memory corruption
or use-after-free.
Related: OS#6728
Change-Id: I32729060b5a18576310b3789da522f4392d9611e
---
M src/isdn/lapd_core.c
1 file changed, 2 insertions(+), 0 deletions(-)
Approvals:
  pespin: Looks good to me, approved
  Jenkins Builder: Verified

diff --git a/src/isdn/lapd_core.c b/src/isdn/lapd_core.c
index b32ed26..caaf092 100644
--- a/src/isdn/lapd_core.c
+++ b/src/isdn/lapd_core.c
@@ -1922,6 +1922,8 @@
LOGDL(dl, LOGL_INFO, "writing message to send-queue: l3len: %d\n", msgb_l3len(msg));
+	/* Take ownership of msg, since we are keeping it around in this layer: */
+	talloc_steal(tall_lapd_ctx, msg);
    /* Write data into the send queue */
    msgb_enqueue(&dl->send_queue, msg);
-- 
To view, visit https://gerrit.osmocom.org/c/libosmocore/+/39807?usp=email
To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings?usp=email

Gerrit-MessageType: merged
Gerrit-Project: libosmocore
Gerrit-Branch: master
Gerrit-Change-Id: I32729060b5a18576310b3789da522f4392d9611e
Gerrit-Change-Number: 39807
Gerrit-PatchSet: 4
Gerrit-Owner: pespin pespin@sysmocom.de
Gerrit-Reviewer: Jenkins Builder
Gerrit-Reviewer: daniel dwillmann@sysmocom.de
Gerrit-Reviewer: fixeria vyanitskiy@sysmocom.de
Gerrit-Reviewer: laforge laforge@osmocom.org
Gerrit-Reviewer: osmith osmith@sysmocom.de
Gerrit-Reviewer: pespin pespin@sysmocom.de



    