Change in osmo-sgsn[master]: gprs_sndcp: fix use after free

This is merely a historical archive of years 2008-2021, before the migration to mailman3.

A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/gerrit-log@lists.osmocom.org/.

laforge gerrit-no-reply at lists.osmocom.org
Fri Oct 2 20:43:15 UTC 2020 

laforge has submitted this change. ( https://gerrit.osmocom.org/c/osmo-sgsn/+/20398 )

Change subject: gprs_sndcp: fix use after free
......................................................................

gprs_sndcp: fix use after free

When compression is turned on, an extra buffer "expnd" is allocated in
the context of msg. This means that when msg is freed, expnd is freed as
well and there is no need for freein it explcicitly, which, when it is
done after freeng msg, causes talloc to abort.

Change-Id: I8959b75e241ffabf9fa34c4cf014721584372b26
---
M src/sgsn/gprs_sndcp.c
1 file changed, 2 insertions(+), 2 deletions(-)

Approvals:
  Jenkins Builder: Verified
  pespin: Looks good to me, but someone else must approve
  laforge: Looks good to me, approved



diff --git a/src/sgsn/gprs_sndcp.c b/src/sgsn/gprs_sndcp.c
index 7ce6960..19d8712 100644
--- a/src/sgsn/gprs_sndcp.c
+++ b/src/sgsn/gprs_sndcp.c
@@ -370,8 +370,8 @@
 	 * downwards in the call above */
 	msgb_free(msg);
 
-	if (any_pcomp_or_dcomp_active(sgsn))
-		talloc_free(expnd);
+	/* Note: We do not have to free expnd explicitly, because it is created
+	 * within the talloc context of msg, which we just freed. */
 
 	return rc;
 }

-- 
To view, visit https://gerrit.osmocom.org/c/osmo-sgsn/+/20398
To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings

Gerrit-Project: osmo-sgsn
Gerrit-Branch: master
Gerrit-Change-Id: I8959b75e241ffabf9fa34c4cf014721584372b26
Gerrit-Change-Number: 20398
Gerrit-PatchSet: 1
Gerrit-Owner: dexter <pmaier at sysmocom.de>
Gerrit-Reviewer: Jenkins Builder
Gerrit-Reviewer: daniel <dwillmann at sysmocom.de>
Gerrit-Reviewer: dexter <pmaier at sysmocom.de>
Gerrit-Reviewer: laforge <laforge at osmocom.org>
Gerrit-Reviewer: pespin <pespin at sysmocom.de>
Gerrit-MessageType: merged
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osmocom.org/pipermail/gerrit-log/attachments/20201002/5f047265/attachment.htm>

More information about the gerrit-log mailing list