Change in osmo-mgw[master]: libosmo-mgcp-client: fix use-after-free in mgcp_client_tx()

This is merely a historical archive of years 2008-2021, before the migration to mailman3.

A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/gerrit-log@lists.osmocom.org/.

laforge gerrit-no-reply at lists.osmocom.org
Thu Jun 18 11:40:37 UTC 2020


laforge has submitted this change. ( https://gerrit.osmocom.org/c/osmo-mgw/+/18880 )

Change subject: libosmo-mgcp-client: fix use-after-free in mgcp_client_tx()
......................................................................

libosmo-mgcp-client: fix use-after-free in mgcp_client_tx()

This function calls mgcp_client_pending_add(), that in its turn
allocates a 'mgcp_response_pending' and appends it to the queue.

In case of an error, it calls mgcp_client_handle_response() that
would free the 'mgcp_response_pending', but this structure would
still remain in the linked list (the queue).

Change-Id: Id94bb93a6b0ea7b7241cf7868112e9bec3e60f0b
---
M src/libosmo-mgcp-client/mgcp_client.c
1 file changed, 2 insertions(+), 0 deletions(-)

Approvals:
  laforge: Looks good to me, approved
  pespin: Looks good to me, but someone else must approve
  Jenkins Builder: Verified



diff --git a/src/libosmo-mgcp-client/mgcp_client.c b/src/libosmo-mgcp-client/mgcp_client.c
index 74bdf4d..e9b3ec0 100644
--- a/src/libosmo-mgcp-client/mgcp_client.c
+++ b/src/libosmo-mgcp-client/mgcp_client.c
@@ -959,6 +959,8 @@
 	return 0;
 
 mgcp_tx_error:
+	/* Dequeue pending response, it's going to be free()d */
+	llist_del(&pending->entry);
 	/* Pass NULL to response cb to indicate an error */
 	mgcp_client_handle_response(mgcp, pending, NULL);
 	return -1;

-- 
To view, visit https://gerrit.osmocom.org/c/osmo-mgw/+/18880
To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings

Gerrit-Project: osmo-mgw
Gerrit-Branch: master
Gerrit-Change-Id: Id94bb93a6b0ea7b7241cf7868112e9bec3e60f0b
Gerrit-Change-Number: 18880
Gerrit-PatchSet: 2
Gerrit-Owner: fixeria <vyanitskiy at sysmocom.de>
Gerrit-Reviewer: Jenkins Builder
Gerrit-Reviewer: fixeria <vyanitskiy at sysmocom.de>
Gerrit-Reviewer: laforge <laforge at osmocom.org>
Gerrit-Reviewer: neels <nhofmeyr at sysmocom.de>
Gerrit-Reviewer: pespin <pespin at sysmocom.de>
Gerrit-MessageType: merged
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osmocom.org/pipermail/gerrit-log/attachments/20200618/2af83b17/attachment.htm>


More information about the gerrit-log mailing list