This is merely a historical archive of years 2008-2021, before the migration to mailman3.
A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/gerrit-log@lists.osmocom.org/.
dexter gerrit-no-reply at lists.osmocom.org
Review at https://gerrit.osmocom.org/6095
rsl: fix double-free in rsl_rx_mode_modif()
When the RSL_IE_CHAN_MODE is is missing, then the message buffer
is freed and the channel mode modify is nacked using
return rsl_tx_mode_modif_nack()
The function rsl_tx_mode_modif_nack uses abis_bts_rsl_sendmsg()
which returns 0 on success. This eventually leads into a double-
free in rsl_rx_dchan() which frees the message buffer on all
return codes except 1.
- Remove the excess msgb_free() in the error handling path.
Change-Id: I946a927ba35aa115520b1248eefccd91832f69f6
---
M src/common/rsl.c
1 file changed, 0 insertions(+), 1 deletion(-)
git pull ssh://gerrit.osmocom.org:29418/osmo-bts refs/changes/95/6095/1
diff --git a/src/common/rsl.c b/src/common/rsl.c
index 88e240a..1f45cc6 100644
--- a/src/common/rsl.c
+++ b/src/common/rsl.c
@@ -1283,7 +1283,6 @@
/* 9.3.6 Channel Mode */
if (!TLVP_PRESENT(&tp, RSL_IE_CHAN_MODE)) {
LOGP(DRSL, LOGL_NOTICE, "missing Channel Mode\n");
- msgb_free(msg);
return rsl_tx_mode_modif_nack(lchan, RSL_ERR_MAND_IE_ERROR);
}
cm = (struct rsl_ie_chan_mode *) TLVP_VAL(&tp, RSL_IE_CHAN_MODE);
--
To view, visit https://gerrit.osmocom.org/6095
To unsubscribe, visit https://gerrit.osmocom.org/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I946a927ba35aa115520b1248eefccd91832f69f6
Gerrit-PatchSet: 1
Gerrit-Project: osmo-bts
Gerrit-Branch: master
Gerrit-Owner: dexter <pmaier at sysmocom.de>