Change in libosmo-sccp[master]: fix use after free in osmo_sccp_simple_server_add_clnt()

historical

Stefan Sperling has uploaded this change for review. ( https://gerrit.osmocom.org/9477


Change subject: fix use after free in osmo_sccp_simple_server_add_clnt()
......................................................................

fix use after free in osmo_sccp_simple_server_add_clnt()

The variable as_name was freed before being passed to the
osmo_ss7_route_create() function. Free it later to avoid
a use-after-free crash with address sanitizer.

Found by running 'examples/m3ua_example aaa' with address
sanitizer enabled.

Change-Id: I9d724bc1d2aa8d6f8b6a67bdeafdb5f0f9136413
Related: OS#2666
---
M src/sccp_user.c
1 file changed, 1 insertion(+), 1 deletion(-)



  git pull ssh://gerrit.osmocom.org:29418/libosmo-sccp refs/changes/77/9477/1

diff --git a/src/sccp_user.c b/src/sccp_user.c
index a6161c0..99ed96e 100644
--- a/src/sccp_user.c
+++ b/src/sccp_user.c
@@ -611,7 +611,6 @@
 	as = osmo_ss7_as_find_or_create(ss7, as_name, prot);
 	if (!as)
 		goto out_strings;
-	talloc_free(as_name);
 
 	/* route only selected PC to the client */
 	rt = osmo_ss7_route_create(ss7->rtable_system, pc, 0xffff, as_name);
@@ -624,6 +623,7 @@
 	asp->cfg.is_server = true;
 	osmo_ss7_as_add_asp(as, asp_name);
 	talloc_free(asp_name);
+	talloc_free(as_name);
 	osmo_ss7_asp_restart(asp);
 
 	return ss7->sccp;

-- 
To view, visit https://gerrit.osmocom.org/9477
To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings

Gerrit-Project: libosmo-sccp
Gerrit-Branch: master
Gerrit-MessageType: newchange
Gerrit-Change-Id: I9d724bc1d2aa8d6f8b6a67bdeafdb5f0f9136413
Gerrit-Change-Number: 9477
Gerrit-PatchSet: 1
Gerrit-Owner: Stefan Sperling <ssperling at sysmocom.de>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osmocom.org/pipermail/gerrit-log/attachments/20180606/ca187676/attachment.htm>
