Attention is currently required from: pespin.

fixeria has posted comments on this change. ( https://gerrit.osmocom.org/c/libosmo-abis/+/32641 )

Change subject: fix use-after-free in ipaccess_bts_keepalive_fsm_alloc() ......................................................................

Patch Set 1:

(2 comments)

Commit Message:

https://gerrit.osmocom.org/c/libosmo-abis/+/32641/comment/8127499a_dfc877f6 PS1, Line 31: *** (!) as well as the struct osmo_fsm_inst (talloc child)

shouldn't the fsm always be freed with explicit osmo_fsm_inst_free() and not through automatic tallo […]

Yes, all `osmo_fsm_inst` should normally be freed by calling `osmo_fsm_inst_free()`. But in this specific case it gets free()d implicitly (and incorrectly, not cleaning up stuff like timers and llists) before we reach the point of calling `osmo_fsm_inst_free()`. And when we call it, osmo-bts crashes due to use-after-free.

https://gerrit.osmocom.org/c/libosmo-abis/+/32641/comment/67473659_0c543803 PS1, Line 33: *** calling ipaccess_keepalive_fsm_cleanup()

why is cleanup() called here if it was freed above?

I don't know why the cleanup() is called in the alloc() function... ask Eric.

why wasn't the pointer set to NULL?

talloc does not set pointers to NULL when free()ing child chunks...