Change in osmo-bsc[master]: bts_trx: Fix timeslot_fsm not properly freed during trx free()

This is merely a historical archive of years 2008-2021, before the migration to mailman3.

A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/gerrit-log@lists.osmocom.org/.

pespin gerrit-no-reply at lists.osmocom.org
Tue Oct 5 17:33:29 UTC 2021 

pespin has uploaded this change for review. ( https://gerrit.osmocom.org/c/osmo-bsc/+/25693 )


Change subject: bts_trx: Fix timeslot_fsm not properly freed during trx free()
......................................................................

bts_trx: Fix timeslot_fsm not properly freed during trx free()

osmo_fsm_inst_free() must be called explicitly, otherwise the instance
is kept in the llit of instances and produces heap-use-after-free.

Change-Id: Ib0e5560efe518833f76f846d7269e82d85c186a1
---
M include/osmocom/bsc/timeslot_fsm.h
M src/osmo-bsc/bts_trx.c
M src/osmo-bsc/timeslot_fsm.c
3 files changed, 10 insertions(+), 0 deletions(-)



  git pull ssh://gerrit.osmocom.org:29418/osmo-bsc refs/changes/93/25693/1

diff --git a/include/osmocom/bsc/timeslot_fsm.h b/include/osmocom/bsc/timeslot_fsm.h
index f5e4b4c..1831537 100644
--- a/include/osmocom/bsc/timeslot_fsm.h
+++ b/include/osmocom/bsc/timeslot_fsm.h
@@ -45,6 +45,7 @@
 void ts_fsm_init();
 
 void ts_fsm_alloc(struct gsm_bts_trx_ts *ts);
+void ts_fsm_free(struct gsm_bts_trx_ts *ts);
 
 bool ts_is_capable_of_pchan(struct gsm_bts_trx_ts *ts, enum gsm_phys_chan_config pchan);
 bool ts_is_capable_of_lchant(struct gsm_bts_trx_ts *ts, enum gsm_chan_t type);
diff --git a/src/osmo-bsc/bts_trx.c b/src/osmo-bsc/bts_trx.c
index 9f8837b..9b90c91 100644
--- a/src/osmo-bsc/bts_trx.c
+++ b/src/osmo-bsc/bts_trx.c
@@ -50,6 +50,7 @@
 			osmo_fsm_inst_free(ts->mo.fi);
 			ts->mo.fi = NULL;
 		}
+		ts_fsm_free(ts);
 	}
 	return 0;
 }
diff --git a/src/osmo-bsc/timeslot_fsm.c b/src/osmo-bsc/timeslot_fsm.c
index adca31d..8d256bb 100644
--- a/src/osmo-bsc/timeslot_fsm.c
+++ b/src/osmo-bsc/timeslot_fsm.c
@@ -66,6 +66,14 @@
 	ts_fsm_update_id(ts);
 }
 
+void ts_fsm_free(struct gsm_bts_trx_ts *ts)
+{
+	if (ts->fi) {
+		osmo_fsm_inst_free(ts->fi);
+		ts->fi = NULL;
+	}
+}
+
 enum lchan_sanity {
 	LCHAN_IS_INSANE = -1,
 	LCHAN_IS_READY_TO_GO,

-- 
To view, visit https://gerrit.osmocom.org/c/osmo-bsc/+/25693
To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings

Gerrit-Project: osmo-bsc
Gerrit-Branch: master
Gerrit-Change-Id: Ib0e5560efe518833f76f846d7269e82d85c186a1
Gerrit-Change-Number: 25693
Gerrit-PatchSet: 1
Gerrit-Owner: pespin <pespin at sysmocom.de>
Gerrit-MessageType: newchange
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osmocom.org/pipermail/gerrit-log/attachments/20211005/29002b00/attachment.htm>

More information about the gerrit-log mailing list