pespin has submitted this change. ( https://gerrit.osmocom.org/c/libosmocore/+/39808?usp=email )

Change subject: lapdm: Take talloc msgb ownership when enqueueing it ......................................................................

lapdm: Take talloc msgb ownership when enqueueing it

Otherwise the msg talloc reference is kept parented at some unknown pointer in some unknown upper layer, which may cause memory corruption or use-after-free.

Change-Id: Iba7b11bd9541c883588f34df67fdd865d72710d7 Related: OS#6728 --- M src/gsm/lapdm.c 1 file changed, 4 insertions(+), 0 deletions(-)

Approvals: Jenkins Builder: Verified pespin: Looks good to me, approved

diff --git a/src/gsm/lapdm.c b/src/gsm/lapdm.c index 61ea535..f725b44 100644 --- a/src/gsm/lapdm.c +++ b/src/gsm/lapdm.c @@ -376,6 +376,8 @@ *msgb_push(msg, 1) = pad; *msgb_push(msg, 1) = link_id; *msgb_push(msg, 1) = chan_nr; + /* Take ownership of msg, since we are keeping it around in this layer: */ + talloc_steal(tall_lapd_ctx, msg); msgb_enqueue(&dl->dl.tx_queue, msg); return 0; } @@ -403,6 +405,8 @@ *msgb_push(msg, 1) = pad; *msgb_push(msg, 1) = link_id; *msgb_push(msg, 1) = chan_nr; + /* Take ownership of msg, since we are keeping it around in this layer: */ + talloc_steal(tall_lapd_ctx, msg); msgb_enqueue(&dl->tx_ui_queue, msg); return 0; }