11 Oct
2011
11 Oct
'11
10:25 p.m.
In case the control interface on TCP port 4249 is used in an unintended way,
a SIGABRT can be caused because of a double talloc_free() call on a msgb*.
The upcoming patch fixes this bug.
If the patch seems useful, please feel free to merge it.
Kind regards,
-Alexander Huemer
Alexander Huemer(1):
libctrl: only free() msgb if it was alloc()ed
openbsc/src/libctrl/control_if.c | 5 +++--
1 files changed, 3 insertions(+), 2 deletions(-)
11 Oct
11 Oct
10:25 p.m.
New subject: [PATCH 1/1] libctrl: only free() msgb if it was alloc()ed
Before this patch a SIGABRT was caused when doing e.g.:
$ ncat 127.0.0.1 4249
^C
---
openbsc/src/libctrl/control_if.c | 5 +++--
1 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/openbsc/src/libctrl/control_if.c b/openbsc/src/libctrl/control_if.c
index 8198ae6..c395b08 100644
--- a/openbsc/src/libctrl/control_if.c
+++ b/openbsc/src/libctrl/control_if.c
@@ -208,7 +208,7 @@ static int handle_control_read(struct osmo_fd * bfd)
struct ctrl_connection *ccon;
struct ipaccess_head *iph;
struct ipaccess_head_ext *iph_ext;
- struct msgb *msg;
+ struct msgb *msg = NULL;
struct ctrl_cmd *cmd;
struct ctrl_handle *ctrl = bfd->data;
@@ -269,7 +269,8 @@ static int handle_control_read(struct osmo_fd * bfd)
err:
control_close_conn(ccon);
- msgb_free(msg);
+ if (msg)
+ msgb_free(msg);
return ret;
}
--
1.7.7
11:07 p.m.
New subject: [PATCH 1/1] libctrl: only free() msgb if it was alloc()ed
On 10/11/2011 10:25 PM, Alexander Huemer wrote:
struct ipaccess_head_ext *iph_ext;
- struct msgb *msg;
+ struct msgb *msg = NULL;
yes
con);
- msgb_free(msg);
+ if (msg)
+ msgb_free(msg);
no, i think we should assume that msgb_free(NULL) will work.
thanks
11:54 p.m.
New subject: [PATCH 1/1] libctrl: only free() msgb if it was alloc()ed
On Tue, Oct 11, 2011 at 11:07:35PM +0200, Holger Hans Peter Freyther wrote:
On 10/11/2011 10:25 PM, Alexander Huemer wrote:
You are right. I'll resend the patch.
struct ipaccess_head_ext *iph_ext;
- struct msgb *msg;
+ struct msgb *msg = NULL;
yes
con);
- msgb_free(msg);
+ if (msg)
+ msgb_free(msg);
no, i think we should assume that msgb_free(NULL) will work.
thanks
5002
days inactive
5002
days old
3 comments
2 participants
participants (2)
-
Alexander Huemer -
Holger Hans Peter Freyther