fixeria has submitted this change. ( https://gerrit.osmocom.org/c/libosmocore/+/28517 )

Change subject: gb: fix uninitialized ptr access in bssgp_encode_rim_pdu() ......................................................................

gb: fix uninitialized ptr access in bssgp_encode_rim_pdu()

Jumping to label 'error' before allocating memory and storing an address to pointer 'rim_cont_buf' would result in passing garbage to talloc_free(). Found with clang 14.

Change-Id: I9420615b64d3755fd9131e8561c516c39f83a15b --- M src/gb/gprs_bssgp_rim.c 1 file changed, 4 insertions(+), 4 deletions(-)

Approvals: Jenkins Builder: Verified pespin: Looks good to me, approved

diff --git a/src/gb/gprs_bssgp_rim.c b/src/gb/gprs_bssgp_rim.c index 63b303e..71f7ea8 100644 --- a/src/gb/gprs_bssgp_rim.c +++ b/src/gb/gprs_bssgp_rim.c @@ -1064,7 +1064,6 @@ struct msgb *msg = bssgp_msgb_alloc(); struct bssgp_normal_hdr *bgph; uint8_t rim_ri_buf[BSSGP_RIM_ROUTING_INFO_MAXLEN]; - uint8_t *rim_cont_buf; int rc;

if (!msg) @@ -1105,7 +1104,7 @@

/* Put RIM container */ if (pdu->decoded_present) { - rim_cont_buf = talloc_zero_size(msg, msg->data_len); + uint8_t *rim_cont_buf = talloc_zero_size(msg, msg->data_len); if (!rim_cont_buf) goto error;

@@ -1130,8 +1129,10 @@ /* The API user must set the iei properly! */ OSMO_ASSERT(false); } - if (rc < 0) + if (rc < 0) { + talloc_free(rim_cont_buf); goto error; + }

msgb_tvlv_put(msg, pdu->rim_cont_iei, rc, rim_cont_buf); talloc_free(rim_cont_buf); @@ -1143,7 +1144,6 @@

return msg; error: - talloc_free(rim_cont_buf); msgb_free(msg); return 0; }