[MERGED] osmo-bts[master]: l1sap: Fix use-after-free in loopback mode.

[Harald Welte]

Harald Welte has submitted this change and it was merged.

Change subject: l1sap: Fix use-after-free in loopback mode.
......................................................................


l1sap: Fix use-after-free in loopback mode.

By default l1sap_tch_ind() returns 0 which signals to its caller that message
has been processed and can be freed. In case of loopback we're forwarding
the message to dl_tch_queue who will free it later.  Returning 1 from
l1sap_tch_ind() prevents caller from freeing message.

Change-Id: I1e065075baa51c88fa717f132e1f0a83df68be02
---
M src/common/l1sap.c
1 file changed, 3 insertions(+), 0 deletions(-)

Approvals:
  Max: Looks good to me, but someone else must approve
  Harald Welte: Looks good to me, approved
  Jenkins Builder: Verified



diff --git a/src/common/l1sap.c b/src/common/l1sap.c
index f4bc5ce..553011f 100644
--- a/src/common/l1sap.c
+++ b/src/common/l1sap.c
@@ -925,6 +925,9 @@
 		}
 
 		msgb_enqueue(&lchan->dl_tch_queue, msg);
+
+		/* Return 1 to signal that we're still using msg and it should not be freed */
+		return 1;
 	}
 
 	lchan->rtp_tx_marker = false;

-- 
To view, visit https://gerrit.osmocom.org/1245
To unsubscribe, visit https://gerrit.osmocom.org/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I1e065075baa51c88fa717f132e1f0a83df68be02
Gerrit-PatchSet: 2
Gerrit-Project: osmo-bts
Gerrit-Branch: master
Gerrit-Owner: Alexander Chemeris <Alexander.Chemeris at gmail.com>
Gerrit-Reviewer: Harald Welte <laforge at gnumonks.org>
Gerrit-Reviewer: Jenkins Builder
Gerrit-Reviewer: Max <msuraev at sysmocom.de>