fixeria has submitted this change. ( https://gerrit.osmocom.org/c/libosmocore/+/40221?usp=email )

Change subject: lapd: Take talloc msgb ownership when enqueueing it ......................................................................

lapd: Take talloc msgb ownership when enqueueing it

Otherwise the msg talloc reference is kept parented at some unknown pointer in some unknown upper layer, which may cause memory corruption or use-after-free.

Related: OS#6728 Change-Id: I32729060b5a18576310b3789da522f4392d9611e (cherry picked from commit 630d9b81c8464a0e859dd6c5c72ab88a00b61841) --- M src/isdn/lapd_core.c 1 file changed, 2 insertions(+), 0 deletions(-)

Approvals: Jenkins Builder: Verified pespin: Looks good to me, approved

diff --git a/src/isdn/lapd_core.c b/src/isdn/lapd_core.c index b32ed26..caaf092 100644 --- a/src/isdn/lapd_core.c +++ b/src/isdn/lapd_core.c @@ -1922,6 +1922,8 @@

LOGDL(dl, LOGL_INFO, "writing message to send-queue: l3len: %d\n", msgb_l3len(msg));

+ /* Take ownership of msg, since we are keeping it around in this layer: */ + talloc_steal(tall_lapd_ctx, msg); /* Write data into the send queue */ msgb_enqueue(&dl->send_queue, msg);