pespin has uploaded this change for review. ( https://gerrit.osmocom.org/c/libosmocore/+/39812?usp=email )

Change subject: lapdm: Move queue initialization to specific init function ......................................................................

lapdm: Move queue initialization to specific init function

Otherwise the msg talloc reference is kept parented at some unknown pointer in some unknown upper layer, which may cause memory corruption or use-after-free.

Change-Id: I9c73f3aa5cc39d298296a82a99fbaf234b0ebe99 Related: OS#6728 --- M src/gsm/lapdm.c 1 file changed, 1 insertion(+), 1 deletion(-)

git pull ssh://gerrit.osmocom.org:29418/libosmocore refs/changes/12/39812/1

diff --git a/src/gsm/lapdm.c b/src/gsm/lapdm.c index 8f7db90..74e0736 100644 --- a/src/gsm/lapdm.c +++ b/src/gsm/lapdm.c @@ -136,6 +136,7 @@ const char *name) { memset(dl, 0, sizeof(*dl)); + INIT_LLIST_HEAD(&dl->tx_ui_queue); dl->entity = entity; lapd_dl_init2(&dl->dl, 1, 8, 251, name); /* Section 5.8.5 of TS 04.06 */ dl->dl.reestablish = 0; /* GSM uses no reestablish */ @@ -200,7 +201,6 @@ lapdm_dl_init(&le->datalink[i], le, (t200_ms) ? t200_ms[i] : 0, n200, name); } else lapdm_dl_init(&le->datalink[i], le, (t200_ms) ? t200_ms[i] : 0, n200, NULL); - INIT_LLIST_HEAD(&le->datalink[i].tx_ui_queue); }

lapdm_entity_set_mode(le, mode);