From: Pablo Neira Ayuso pablo@gnumonks.org
valgrind detected an use after free in the path of forward_sccp_to_bts. The 'parsed' object is referenced from update_con_authorize. --- openbsc/src/osmo-bsc_nat/bsc_nat.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/openbsc/src/osmo-bsc_nat/bsc_nat.c b/openbsc/src/osmo-bsc_nat/bsc_nat.c index b9bf36c..be8d56a 100644 --- a/openbsc/src/osmo-bsc_nat/bsc_nat.c +++ b/openbsc/src/osmo-bsc_nat/bsc_nat.c @@ -718,15 +718,18 @@ static int forward_sccp_to_bts(struct bsc_msc_connection *msc_con, struct msgb * LOGP(DNAT, LOGL_ERROR, "Unknown connection for msg type: 0x%x from the MSC.\n", parsed->sccp_type); }
- talloc_free(parsed); - if (!con) + if (!con) { + talloc_free(parsed); return -1; + } if (!con->bsc->authenticated) { + talloc_free(parsed); LOGP(DNAT, LOGL_ERROR, "Selected BSC not authenticated.\n"); return -1; }
update_con_authorize(con, parsed, msg); + talloc_free(parsed);
bsc_send_data(con->bsc, msg->l2h, msgb_l2len(msg), proto); return 0;
On Sun, May 12, 2013 at 08:52:15PM +0200, pablo@gnumonks.org wrote:
From: Pablo Neira Ayuso pablo@gnumonks.org
valgrind detected an use after free in the path of forward_sccp_to_bts. The 'parsed' object is referenced from update_con_authorize.
interesting that it never showed up when I used valgrind and the code appears to be like this since 2010. Feel free to push this to master.
thanks holger
-
Holger Hans Peter Freyther -
pablo@gnumonks.org