path: root/src
diff options
authorPablo Neira Ayuso <pablo@gnumonks.org>2013-12-13 15:18:56 +0100
committerPablo Neira Ayuso <pablo@gnumonks.org>2013-12-13 15:23:04 +0100
commit87b3eeaed7dfd321e1964d44019d4c7e6ae88f48 (patch)
treecd235acb1c14c0ddaec232160b8cf49626ff7bf1 /src
parent9b1c0804d967a0d32217503756a67be84b6e6d17 (diff)
osmux: delete message from output list before calling tx_cb
Valgrind complains about a possible use after free: ==12800== Invalid read of size 4 ==12800== at 0x4073DF6: osmux_tx_sched (linuxlist.h:119) ==12800== by 0x8052B0F: osmux_read_from_bsc_nat_cb (osmux.c:261) ==12800== by 0x453F967: ??? ==12800== Address 0x453f710 is 48 bytes inside a block of size 145 +free'd ==12800== at 0x402750C: free (vg_replace_malloc.c:427) ==12800== by 0x4064ADE: talloc_free (talloc.c:609) ==12800== by 0x405AAAA: msgb_free (msgb.c:72) ==12800== by 0x8052492: scheduled_tx_bts_cb (osmux.c:196) ==12800== by 0x4072CF8: osmux_tx_cb (osmux.c:554) ==12800== by 0x4073F03: osmux_tx_sched (osmux.c:582) ==12800== by 0x8052B0F: osmux_read_from_bsc_nat_cb (osmux.c:261) ==12800== by 0x453F967: ??? The problem is that osmux_tx_sched may immediately call osmux_tx_cb for the first extracted RTP message from the osmux batch, which releases the message after that. Remove the message from our list of messages to be transmitted before the message is passed to the tx callback. Reported by Mattias Lundstrom.
Diffstat (limited to 'src')
1 files changed, 1 insertions, 2 deletions
diff --git a/src/osmux.c b/src/osmux.c
index 5cd586c..a2c123c 100644
--- a/src/osmux.c
+++ b/src/osmux.c
@@ -599,10 +599,9 @@ osmux_tx_sched(struct llist_head *list,
LOGP(DLMIB, LOGL_DEBUG, "scheduled transmision in %lu.%6lu "
"seconds, msg=%p\n", when.tv_sec, when.tv_usec, cur);
+ llist_del(&cur->list);
osmux_tx(cur, &when, tx_cb, data);
timeradd(&when, &delta, &when);
- llist_del(&cur->list);