[PATCH] nat: fix use after free in forward_sccp_to_bts

This is merely a historical archive of years 2008-2021, before the migration to mailman3.

A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/OpenBSC@lists.osmocom.org/.

pablo at gnumonks.org pablo at gnumonks.org
Sun May 12 18:52:15 UTC 2013


From: Pablo Neira Ayuso <pablo at gnumonks.org>

valgrind detected an use after free in the path of forward_sccp_to_bts.
The 'parsed' object is referenced from update_con_authorize.
---
 openbsc/src/osmo-bsc_nat/bsc_nat.c |    7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/openbsc/src/osmo-bsc_nat/bsc_nat.c b/openbsc/src/osmo-bsc_nat/bsc_nat.c
index b9bf36c..be8d56a 100644
--- a/openbsc/src/osmo-bsc_nat/bsc_nat.c
+++ b/openbsc/src/osmo-bsc_nat/bsc_nat.c
@@ -718,15 +718,18 @@ static int forward_sccp_to_bts(struct bsc_msc_connection *msc_con, struct msgb *
 			LOGP(DNAT, LOGL_ERROR, "Unknown connection for msg type: 0x%x from the MSC.\n", parsed->sccp_type);
 	}
 
-	talloc_free(parsed);
-	if (!con)
+	if (!con) {
+		talloc_free(parsed);
 		return -1;
+	}
 	if (!con->bsc->authenticated) {
+		talloc_free(parsed);
 		LOGP(DNAT, LOGL_ERROR, "Selected BSC not authenticated.\n");
 		return -1;
 	}
 
 	update_con_authorize(con, parsed, msg);
+	talloc_free(parsed);
 
 	bsc_send_data(con->bsc, msg->l2h, msgb_l2len(msg), proto);
 	return 0;
-- 
1.7.10.4





More information about the OpenBSC mailing list