Change in osmo-mgw[master]: libosmo-mgcp-client: fix use-after-free in mgcp_client_tx()

historical

fixeria has uploaded this change for review. ( https://gerrit.osmocom.org/c/osmo-mgw/+/18880 )


Change subject: libosmo-mgcp-client: fix use-after-free in mgcp_client_tx()
......................................................................

libosmo-mgcp-client: fix use-after-free in mgcp_client_tx()

This function calls mgcp_client_pending_add(), that in its turn
allocates a 'mgcp_response_pending' and appends it to the queue.

In case of an error, it calls mgcp_client_handle_response() that
would free the 'mgcp_response_pending', but this structure would
still remain in the linked list (the queue).

Change-Id: Id94bb93a6b0ea7b7241cf7868112e9bec3e60f0b
---
M src/libosmo-mgcp-client/mgcp_client.c
1 file changed, 2 insertions(+), 0 deletions(-)



  git pull ssh://gerrit.osmocom.org:29418/osmo-mgw refs/changes/80/18880/1

diff --git a/src/libosmo-mgcp-client/mgcp_client.c b/src/libosmo-mgcp-client/mgcp_client.c
index 74bdf4d..e9b3ec0 100644
--- a/src/libosmo-mgcp-client/mgcp_client.c
+++ b/src/libosmo-mgcp-client/mgcp_client.c
@@ -959,6 +959,8 @@
 	return 0;
 
 mgcp_tx_error:
+	/* Dequeue pending response, it's going to be free()d */
+	llist_del(&pending->entry);
 	/* Pass NULL to response cb to indicate an error */
 	mgcp_client_handle_response(mgcp, pending, NULL);
 	return -1;

-- 
To view, visit https://gerrit.osmocom.org/c/osmo-mgw/+/18880
To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings

Gerrit-Project: osmo-mgw
Gerrit-Branch: master
Gerrit-Change-Id: Id94bb93a6b0ea7b7241cf7868112e9bec3e60f0b
Gerrit-Change-Number: 18880
Gerrit-PatchSet: 1
Gerrit-Owner: fixeria <vyanitskiy at sysmocom.de>
Gerrit-MessageType: newchange
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osmocom.org/pipermail/gerrit-log/attachments/20200617/31403bc4/attachment.htm>
