[MERGED] openbsc[master]: bsc_nat: ctrl: Fix crash on receveing bsc reply

This is merely a historical archive of years 2008-2021, before the migration to mailman3.

A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/gerrit-log@lists.osmocom.org/.

Harald Welte gerrit-no-reply at lists.osmocom.org
Wed Apr 11 16:52:43 UTC 2018 

Harald Welte has submitted this change and it was merged.

Change subject: bsc_nat: ctrl: Fix crash on receveing bsc reply
......................................................................


bsc_nat: ctrl: Fix crash on receveing bsc reply

Since libosmocore 7c0031fc8063771e604976233fb7b46d2b85c077, the cmd
param passed to handlers in ctrl_handle_msg is always freed afterwards,
thus it is owned by the same function. Avoid keeping it alive and
accessing it later when it has already been freed.

Related: OS#3157

Change-Id: Ib1e1fb79746d4a4f3e30254fdb7a7e851c2cd0e4
---
M openbsc/src/osmo-bsc_nat/bsc_nat_ctrl.c
1 file changed, 8 insertions(+), 2 deletions(-)

Approvals:
  Harald Welte: Looks good to me, approved
  Jenkins Builder: Verified



diff --git a/openbsc/src/osmo-bsc_nat/bsc_nat_ctrl.c b/openbsc/src/osmo-bsc_nat/bsc_nat_ctrl.c
index 22c3608..61ac887 100644
--- a/openbsc/src/osmo-bsc_nat/bsc_nat_ctrl.c
+++ b/openbsc/src/osmo-bsc_nat/bsc_nat_ctrl.c
@@ -79,7 +79,6 @@
 {
 	llist_del(&pending->list_entry);
 	osmo_timer_del(&pending->timeout);
-	talloc_free(pending->cmd);
 	talloc_free(pending);
 }
 
@@ -275,8 +274,15 @@
 			cmd->reply = "Sending failed";
 			goto err;
 		}
+
+		/* caller owns cmd param and will destroy it after we return */
+		pending->cmd = ctrl_cmd_cpy(pending, cmd);
+		if (!pending->cmd) {
+			cmd->reply = "Could not answer command";
+			goto err;
+		}
 		cmd->ccon->closed_cb = ctrl_conn_closed_cb;
-		pending->cmd = cmd;
+		pending->cmd->ccon = cmd->ccon;
 
 		/* Setup the timeout */
 		osmo_timer_setup(&pending->timeout, pending_timeout_cb,

-- 
To view, visit https://gerrit.osmocom.org/7764
To unsubscribe, visit https://gerrit.osmocom.org/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: Ib1e1fb79746d4a4f3e30254fdb7a7e851c2cd0e4
Gerrit-PatchSet: 1
Gerrit-Project: openbsc
Gerrit-Branch: master
Gerrit-Owner: Pau Espin Pedrol <pespin at sysmocom.de>
Gerrit-Reviewer: Harald Welte <laforge at gnumonks.org>
Gerrit-Reviewer: Jenkins Builder
Gerrit-Reviewer: Neels Hofmeyr <nhofmeyr at sysmocom.de>
Gerrit-Reviewer: daniel <dwillmann at sysmocom.de>

More information about the gerrit-log mailing list