[MERGED] osmo-msc[master]: sms_queue: fix use-after-free on 'pending'

This is merely a historical archive of years 2008-2021, before the migration to mailman3.

A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/gerrit-log@lists.osmocom.org/.

Harald Welte gerrit-no-reply at lists.osmocom.org
Sat Apr 14 19:36:54 UTC 2018


Harald Welte has submitted this change and it was merged.

Change subject: sms_queue: fix use-after-free on 'pending'
......................................................................


sms_queue: fix use-after-free on 'pending'

This bug is super obvious: We cannot first call
sms_pending_free(pending) and then in the next line still dereference
the pending->sms_id member.

This bug was introduced in January with Change-Id: I3749855fe25d9d4e37ec96b0c2bffbc692b66a78
and apparently nobody has tested any MT-SMS with asan enabled since?

Change-Id: Ibf17f270cdeb8153036eda3de274dd163bbff7e6
Closes: OS#3152
---
M src/libmsc/sms_queue.c
1 file changed, 1 insertion(+), 1 deletion(-)

Approvals:
  Harald Welte: Looks good to me, approved; Verified



diff --git a/src/libmsc/sms_queue.c b/src/libmsc/sms_queue.c
index 7d59787..ed11123 100644
--- a/src/libmsc/sms_queue.c
+++ b/src/libmsc/sms_queue.c
@@ -480,8 +480,8 @@
 		/* Remember the subscriber and clear the pending entry */
 		network->sms_queue->pending -= 1;
 		vsub = vlr_subscr_get(pending->vsub);
-		sms_pending_free(pending);
 		db_sms_delete_sent_message_by_id(pending->sms_id);
+		sms_pending_free(pending);
 		/* Attempt to send another SMS to this subscriber */
 		sms_send_next(vsub);
 		vlr_subscr_put(vsub);

-- 
To view, visit https://gerrit.osmocom.org/7796
To unsubscribe, visit https://gerrit.osmocom.org/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: Ibf17f270cdeb8153036eda3de274dd163bbff7e6
Gerrit-PatchSet: 2
Gerrit-Project: osmo-msc
Gerrit-Branch: master
Gerrit-Owner: Harald Welte <laforge at gnumonks.org>
Gerrit-Reviewer: Harald Welte <laforge at gnumonks.org>
Gerrit-Reviewer: Jenkins Builder
Gerrit-Reviewer: Stefan Sperling <ssperling at sysmocom.de>



More information about the gerrit-log mailing list