fixeria has submitted this change. ( https://gerrit.osmocom.org/c/libosmocore/+/40221?usp=email ) Change subject: lapd: Take talloc msgb ownership when enqueueing it ...................................................................... lapd: Take talloc msgb ownership when enqueueing it Otherwise the msg talloc reference is kept parented at some unknown pointer in some unknown upper layer, which may cause memory corruption or use-after-free. Related: OS#6728 Change-Id: I32729060b5a18576310b3789da522f4392d9611e (cherry picked from commit 630d9b81c8464a0e859dd6c5c72ab88a00b61841) --- M src/isdn/lapd_core.c 1 file changed, 2 insertions(+), 0 deletions(-) Approvals: Jenkins Builder: Verified pespin: Looks good to me, approved diff --git a/src/isdn/lapd_core.c b/src/isdn/lapd_core.c index b32ed26..caaf092 100644 --- a/src/isdn/lapd_core.c +++ b/src/isdn/lapd_core.c @@ -1922,6 +1922,8 @@ LOGDL(dl, LOGL_INFO, "writing message to send-queue: l3len: %d\n", msgb_l3len(msg)); + /* Take ownership of msg, since we are keeping it around in this layer: */ + talloc_steal(tall_lapd_ctx, msg); /* Write data into the send queue */ msgb_enqueue(&dl->send_queue, msg); -- To view, visit https://gerrit.osmocom.org/c/libosmocore/+/40221?usp=email To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings?usp=email Gerrit-MessageType: merged Gerrit-Project: libosmocore Gerrit-Branch: rel-1.11.1 Gerrit-Change-Id: I32729060b5a18576310b3789da522f4392d9611e Gerrit-Change-Number: 40221 Gerrit-PatchSet: 1 Gerrit-Owner: fixeria <vyanitskiy(a)sysmocom.de> Gerrit-Reviewer: Jenkins Builder Gerrit-Reviewer: fixeria <vyanitskiy(a)sysmocom.de> Gerrit-Reviewer: pespin <pespin(a)sysmocom.de>