From: Pablo Neira Ayuso <pablo(a)gnumonks.org>
valgrind detected an use after free in the path of forward_sccp_to_bts.
The 'parsed' object is referenced from update_con_authorize.
---
openbsc/src/osmo-bsc_nat/bsc_nat.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/openbsc/src/osmo-bsc_nat/bsc_nat.c b/openbsc/src/osmo-bsc_nat/bsc_nat.c
index b9bf36c..be8d56a 100644
--- a/openbsc/src/osmo-bsc_nat/bsc_nat.c
+++ b/openbsc/src/osmo-bsc_nat/bsc_nat.c
@@ -718,15 +718,18 @@ static int forward_sccp_to_bts(struct bsc_msc_connection *msc_con,
struct msgb *
LOGP(DNAT, LOGL_ERROR, "Unknown connection for msg type: 0x%x from the
MSC.\n", parsed->sccp_type);
}
- talloc_free(parsed);
- if (!con)
+ if (!con) {
+ talloc_free(parsed);
return -1;
+ }
if (!con->bsc->authenticated) {
+ talloc_free(parsed);
LOGP(DNAT, LOGL_ERROR, "Selected BSC not authenticated.\n");
return -1;
}
update_con_authorize(con, parsed, msg);
+ talloc_free(parsed);
bsc_send_data(con->bsc, msg->l2h, msgb_l2len(msg), proto);
return 0;
--
1.7.10.4