pespin has uploaded this change for review. ( https://gerrit.osmocom.org/c/osmo-hnbgw/+/40276?usp=email )

Change subject: ps_rab_ass_fsm: Fix potential use-after-free if Tx RAB-ASS-RESP over SCCP fails ......................................................................

ps_rab_ass_fsm: Fix potential use-after-free if Tx RAB-ASS-RESP over SCCP fails

ps_rab_ass_failure() is already calling osmo_fsm_inst_term(rab_ass->fi(), which will free "fi" and its child talloc struct "rab_ass". Hence, return early as done everywher else in order to avoid accessing the struct again.

Change-Id: Id605f2b279a4d886399de27f6a94622ad7bf982b --- M src/osmo-hnbgw/ps_rab_ass_fsm.c 1 file changed, 1 insertion(+), 1 deletion(-)

git pull ssh://gerrit.osmocom.org:29418/osmo-hnbgw refs/changes/76/40276/1

diff --git a/src/osmo-hnbgw/ps_rab_ass_fsm.c b/src/osmo-hnbgw/ps_rab_ass_fsm.c index fc3b605..fc15fff 100644 --- a/src/osmo-hnbgw/ps_rab_ass_fsm.c +++ b/src/osmo-hnbgw/ps_rab_ass_fsm.c @@ -633,8 +633,8 @@ if (rc < 0) { LOG_PS_RAB_ASS(rab_ass, LOGL_ERROR, "Sending RANAP PS RAB-AssignmentResponse failed\n"); ps_rab_ass_failure(rab_ass); + return; } - /* The request message has been forwarded. We are done. */ osmo_fsm_inst_term(rab_ass->fi, OSMO_FSM_TERM_REGULAR, NULL); }