In case the control interface on TCP port 4249 is used in an unintended way, a SIGABRT can be caused because of a double talloc_free() call on a msgb*. The upcoming patch fixes this bug.
If the patch seems useful, please feel free to merge it.
Kind regards, -Alexander Huemer
Alexander Huemer(1): libctrl: only free() msgb if it was alloc()ed
openbsc/src/libctrl/control_if.c | 5 +++-- 1 files changed, 3 insertions(+), 2 deletions(-)
Before this patch a SIGABRT was caused when doing e.g.: $ ncat 127.0.0.1 4249 ^C --- openbsc/src/libctrl/control_if.c | 5 +++-- 1 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/openbsc/src/libctrl/control_if.c b/openbsc/src/libctrl/control_if.c index 8198ae6..c395b08 100644 --- a/openbsc/src/libctrl/control_if.c +++ b/openbsc/src/libctrl/control_if.c @@ -208,7 +208,7 @@ static int handle_control_read(struct osmo_fd * bfd) struct ctrl_connection *ccon; struct ipaccess_head *iph; struct ipaccess_head_ext *iph_ext; - struct msgb *msg; + struct msgb *msg = NULL; struct ctrl_cmd *cmd; struct ctrl_handle *ctrl = bfd->data;
@@ -269,7 +269,8 @@ static int handle_control_read(struct osmo_fd * bfd)
err: control_close_conn(ccon); - msgb_free(msg); + if (msg) + msgb_free(msg); return ret; }
On 10/11/2011 10:25 PM, Alexander Huemer wrote:
struct ipaccess_head_ext *iph_ext;
- struct msgb *msg;
- struct msgb *msg = NULL;
yes
con);
- msgb_free(msg);
- if (msg)
msgb_free(msg);
no, i think we should assume that msgb_free(NULL) will work.
thanks
On Tue, Oct 11, 2011 at 11:07:35PM +0200, Holger Hans Peter Freyther wrote:
On 10/11/2011 10:25 PM, Alexander Huemer wrote:
struct ipaccess_head_ext *iph_ext;
- struct msgb *msg;
- struct msgb *msg = NULL;
yes
con);
- msgb_free(msg);
- if (msg)
msgb_free(msg);no, i think we should assume that msgb_free(NULL) will work.
thanks
You are right. I'll resend the patch.
-
Alexander Huemer -
Holger Hans Peter Freyther