pespin has submitted this change. ( https://gerrit.osmocom.org/c/libosmocore/+/42412?usp=email )

Change subject: osmo_io: Fix msgb memleak if iofd is unregistered during write_cb with >1 io buffers ......................................................................

osmo_io: Fix msgb memleak if iofd is unregistered during write_cb with >1 io buffers

The msgbs are not allocated under the msghdr, hence if user unregistered the iofd we need to manually free all remaining msgbs when freeing the msghdr.

Change-Id: I579bc2142bba02947021c47d94bf2fe4f2040b01 --- M src/core/osmo_io.c 1 file changed, 11 insertions(+), 2 deletions(-)

Approvals: Jenkins Builder: Verified pespin: Looks good to me, approved osmith: Looks good to me, but someone else must approve fixeria: Looks good to me, but someone else must approve jolly: Looks good to me, but someone else must approve

diff --git a/src/core/osmo_io.c b/src/core/osmo_io.c index 2a20405..ddf77ec 100644 --- a/src/core/osmo_io.c +++ b/src/core/osmo_io.c @@ -553,7 +553,7 @@

/* The user can unregister/close the iofd during callback above. */ if (!IOFD_FLAG_ISSET(iofd, IOFD_FLAG_FD_REGISTERED)) - break; + goto free_remaining_idx; } iofd_msghdr_free(msghdr); return; @@ -606,9 +606,18 @@

/* The user can unregister/close the iofd during callback above. */ if (!IOFD_FLAG_ISSET(iofd, IOFD_FLAG_FD_REGISTERED)) - break; + goto free_remaining_idx; } iofd_msghdr_free(msghdr); + return; + +free_remaining_idx: + for (idx = idx + 1; idx < msghdr->io_len; idx++) { + msgb_free(msghdr->msg[idx]); + msghdr->msg[idx] = NULL; + } + iofd_msghdr_free(msghdr); + return; }

/* Public functions */