This is merely a historical archive of years 2008-2021, before the migration to mailman3.
A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/gerrit-log@lists.osmocom.org/.
laforge gerrit-no-reply at lists.osmocom.orglaforge has uploaded this change for review. ( https://gerrit.osmocom.org/c/libosmocore/+/21831 ) Change subject: lapd_core: Don't dereference data link after sending PRIM_DL_REL ...................................................................... lapd_core: Don't dereference data link after sending PRIM_DL_REL We must always send the RELEASE.{indication,confirm} last before returning from a function. We cannot rely on the datalink to still be around after the call, as the SAP user might have destroyed the data link meanwhile. This fixes a heap use-after-free (at least) with RBS2000 when the BTS is fully brought up and the OML data link is lost, see OS#1762 Change-Id: I8ccca8d5e5d07b666557afe12ab8ac4910ddfb00 Related: OS#1761 Related: OS#1762 --- M src/gsm/lapd_core.c 1 file changed, 4 insertions(+), 5 deletions(-) git pull ssh://gerrit.osmocom.org:29418/libosmocore refs/changes/31/21831/1 diff --git a/src/gsm/lapd_core.c b/src/gsm/lapd_core.c index ed0b320..e0c232f 100644 --- a/src/gsm/lapd_core.c +++ b/src/gsm/lapd_core.c @@ -624,8 +624,6 @@ if (dl->retrans_ctr >= dl->n200_est_rel + 1) { /* send MDL ERROR INIDCATION to L3 */ mdl_error(MDL_CAUSE_T200_EXPIRED, &dl->lctx); - /* send RELEASE INDICATION to L3 */ - send_dl_simple(PRIM_DL_REL, PRIM_OP_CONFIRM, &dl->lctx); /* flush tx and send buffers */ lapd_dl_flush_tx(dl); lapd_dl_flush_send(dl); @@ -634,6 +632,8 @@ /* NOTE: we must not change any other states or buffers * and queues, since we may reconnect after handover * failure. the buffered messages is replaced there */ + /* send RELEASE INDICATION to L3 */ + send_dl_simple(PRIM_DL_REL, PRIM_OP_CONFIRM, &dl->lctx); break; } /* retransmit DISC command */ @@ -1230,13 +1230,12 @@ || !!memcmp(dl->tx_hist[0].msg->data, msg->l3h, length)) { LOGDL(dl, LOGL_INFO, "**** UA response mismatches ****\n"); - rc = send_dl_simple(PRIM_DL_REL, - PRIM_OP_INDICATION, lctx); - msgb_free(msg); /* go to idle state */ lapd_dl_flush_tx(dl); lapd_dl_flush_send(dl); lapd_dl_newstate(dl, LAPD_STATE_IDLE); + rc = send_dl_simple(PRIM_DL_REL, PRIM_OP_INDICATION, lctx); + msgb_free(msg); return 0; } } -- To view, visit https://gerrit.osmocom.org/c/libosmocore/+/21831 To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings Gerrit-Project: libosmocore Gerrit-Branch: master Gerrit-Change-Id: I8ccca8d5e5d07b666557afe12ab8ac4910ddfb00 Gerrit-Change-Number: 21831 Gerrit-PatchSet: 1 Gerrit-Owner: laforge <laforge at osmocom.org> Gerrit-MessageType: newchange -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.osmocom.org/pipermail/gerrit-log/attachments/20201221/32457953/attachment.htm>