pespin has submitted this change. ( https://gerrit.osmocom.org/c/libosmocore/+/39808?usp=email ) Change subject: lapdm: Take talloc msgb ownership when enqueueing it ...................................................................... lapdm: Take talloc msgb ownership when enqueueing it Otherwise the msg talloc reference is kept parented at some unknown pointer in some unknown upper layer, which may cause memory corruption or use-after-free. Change-Id: Iba7b11bd9541c883588f34df67fdd865d72710d7 Related: OS#6728 --- M src/gsm/lapdm.c 1 file changed, 4 insertions(+), 0 deletions(-) Approvals: Jenkins Builder: Verified pespin: Looks good to me, approved diff --git a/src/gsm/lapdm.c b/src/gsm/lapdm.c index 61ea535..f725b44 100644 --- a/src/gsm/lapdm.c +++ b/src/gsm/lapdm.c @@ -376,6 +376,8 @@ *msgb_push(msg, 1) = pad; *msgb_push(msg, 1) = link_id; *msgb_push(msg, 1) = chan_nr; + /* Take ownership of msg, since we are keeping it around in this layer: */ + talloc_steal(tall_lapd_ctx, msg); msgb_enqueue(&dl->dl.tx_queue, msg); return 0; } @@ -403,6 +405,8 @@ *msgb_push(msg, 1) = pad; *msgb_push(msg, 1) = link_id; *msgb_push(msg, 1) = chan_nr; + /* Take ownership of msg, since we are keeping it around in this layer: */ + talloc_steal(tall_lapd_ctx, msg); msgb_enqueue(&dl->tx_ui_queue, msg); return 0; } -- To view, visit https://gerrit.osmocom.org/c/libosmocore/+/39808?usp=email To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings?usp=email Gerrit-MessageType: merged Gerrit-Project: libosmocore Gerrit-Branch: master Gerrit-Change-Id: Iba7b11bd9541c883588f34df67fdd865d72710d7 Gerrit-Change-Number: 39808 Gerrit-PatchSet: 3 Gerrit-Owner: pespin <pespin(a)sysmocom.de> Gerrit-Reviewer: Jenkins Builder Gerrit-Reviewer: fixeria <vyanitskiy(a)sysmocom.de> Gerrit-Reviewer: laforge <laforge(a)osmocom.org> Gerrit-Reviewer: pespin <pespin(a)sysmocom.de>