This is merely a historical archive of years 2008-2021, before the migration to mailman3.
A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/gerrit-log@lists.osmocom.org/.
dexter gerrit-no-reply at lists.osmocom.orgdexter has uploaded this change for review. ( https://gerrit.osmocom.org/c/osmo-sgsn/+/20398 ) Change subject: gprs_sndcp: fix use after free ...................................................................... gprs_sndcp: fix use after free When compression is turned on, an extra buffer "expnd" is allocated in the context of msg. This means that when msg is freed, expnd is freed as well and there is no need for freein it explcicitly, which, when it is done after freeng msg, causes talloc to abort. Change-Id: I8959b75e241ffabf9fa34c4cf014721584372b26 --- M src/sgsn/gprs_sndcp.c 1 file changed, 2 insertions(+), 2 deletions(-) git pull ssh://gerrit.osmocom.org:29418/osmo-sgsn refs/changes/98/20398/1 diff --git a/src/sgsn/gprs_sndcp.c b/src/sgsn/gprs_sndcp.c index 7ce6960..19d8712 100644 --- a/src/sgsn/gprs_sndcp.c +++ b/src/sgsn/gprs_sndcp.c @@ -370,8 +370,8 @@ * downwards in the call above */ msgb_free(msg); - if (any_pcomp_or_dcomp_active(sgsn)) - talloc_free(expnd); + /* Note: We do not have to free expnd explicitly, because it is created + * within the talloc context of msg, which we just freed. */ return rc; } -- To view, visit https://gerrit.osmocom.org/c/osmo-sgsn/+/20398 To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings Gerrit-Project: osmo-sgsn Gerrit-Branch: master Gerrit-Change-Id: I8959b75e241ffabf9fa34c4cf014721584372b26 Gerrit-Change-Number: 20398 Gerrit-PatchSet: 1 Gerrit-Owner: dexter <pmaier at sysmocom.de> Gerrit-MessageType: newchange -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.osmocom.org/pipermail/gerrit-log/attachments/20201002/8f5db61a/attachment.htm>