This is merely a historical archive of years 2008-2021, before the migration to mailman3.
A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/gerrit-log@lists.osmocom.org/.
Harald Welte gerrit-no-reply at lists.osmocom.orgHarald Welte has submitted this change and it was merged. Change subject: rsl: fix double-free in rsl_rx_mode_modif() ...................................................................... rsl: fix double-free in rsl_rx_mode_modif() When the RSL_IE_CHAN_MODE is is missing, then the message buffer is freed and the channel mode modify is nacked using return rsl_tx_mode_modif_nack() The function rsl_tx_mode_modif_nack uses abis_bts_rsl_sendmsg() which returns 0 on success. This eventually leads into a double- free in rsl_rx_dchan() which frees the message buffer on all return codes except 1. - Remove the excess msgb_free() in the error handling path. Change-Id: I946a927ba35aa115520b1248eefccd91832f69f6 --- M src/common/rsl.c 1 file changed, 0 insertions(+), 1 deletion(-) Approvals: Harald Welte: Looks good to me, approved Jenkins Builder: Verified diff --git a/src/common/rsl.c b/src/common/rsl.c index 88e240a..1f45cc6 100644 --- a/src/common/rsl.c +++ b/src/common/rsl.c @@ -1283,7 +1283,6 @@ /* 9.3.6 Channel Mode */ if (!TLVP_PRESENT(&tp, RSL_IE_CHAN_MODE)) { LOGP(DRSL, LOGL_NOTICE, "missing Channel Mode\n"); - msgb_free(msg); return rsl_tx_mode_modif_nack(lchan, RSL_ERR_MAND_IE_ERROR); } cm = (struct rsl_ie_chan_mode *) TLVP_VAL(&tp, RSL_IE_CHAN_MODE); -- To view, visit https://gerrit.osmocom.org/6095 To unsubscribe, visit https://gerrit.osmocom.org/settings Gerrit-MessageType: merged Gerrit-Change-Id: I946a927ba35aa115520b1248eefccd91832f69f6 Gerrit-PatchSet: 1 Gerrit-Project: osmo-bts Gerrit-Branch: master Gerrit-Owner: dexter <pmaier at sysmocom.de> Gerrit-Reviewer: Harald Welte <laforge at gnumonks.org> Gerrit-Reviewer: Jenkins Builder