[PATCH] nat: fix use after free in forward_sccp_to_bts

From: Pablo Neira Ayuso <pablo(a)gnumonks.org> valgrind detected an use after free in the path of forward_sccp_to_bts. The 'parsed' object is referenced from update_con_authorize. --- openbsc/src/osmo-bsc_nat/bsc_nat.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/openbsc/src/osmo-bsc_nat/bsc_nat.c b/openbsc/src/osmo-bsc_nat/bsc_nat.c index b9bf36c..be8d56a 100644 --- a/openbsc/src/osmo-bsc_nat/bsc_nat.c +++ b/openbsc/src/osmo-bsc_nat/bsc_nat.c @@ -718,15 +718,18 @@ static int forward_sccp_to_bts(struct bsc_msc_connection *msc_con, struct msgb * LOGP(DNAT, LOGL_ERROR, "Unknown connection for msg type: 0x%x from the MSC.\n", parsed->sccp_type); } - talloc_free(parsed); - if (!con) + if (!con) { + talloc_free(parsed); return -1; + } if (!con->bsc->authenticated) { + talloc_free(parsed); LOGP(DNAT, LOGL_ERROR, "Selected BSC not authenticated.\n"); return -1; } update_con_authorize(con, parsed, msg); + talloc_free(parsed); bsc_send_data(con->bsc, msg->l2h, msgb_l2len(msg), proto); return 0; -- 1.7.10.4