From 87b3eeaed7dfd321e1964d44019d4c7e6ae88f48 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Fri, 13 Dec 2013 15:18:56 +0100 Subject: osmux: delete message from output list before calling tx_cb Valgrind complains about a possible use after free: ==12800== Invalid read of size 4 ==12800== at 0x4073DF6: osmux_tx_sched (linuxlist.h:119) ==12800== by 0x8052B0F: osmux_read_from_bsc_nat_cb (osmux.c:261) ==12800== by 0x453F967: ??? ==12800== Address 0x453f710 is 48 bytes inside a block of size 145 +free'd ==12800== at 0x402750C: free (vg_replace_malloc.c:427) ==12800== by 0x4064ADE: talloc_free (talloc.c:609) ==12800== by 0x405AAAA: msgb_free (msgb.c:72) ==12800== by 0x8052492: scheduled_tx_bts_cb (osmux.c:196) ==12800== by 0x4072CF8: osmux_tx_cb (osmux.c:554) ==12800== by 0x4073F03: osmux_tx_sched (osmux.c:582) ==12800== by 0x8052B0F: osmux_read_from_bsc_nat_cb (osmux.c:261) ==12800== by 0x453F967: ??? The problem is that osmux_tx_sched may immediately call osmux_tx_cb for the first extracted RTP message from the osmux batch, which releases the message after that. Remove the message from our list of messages to be transmitted before the message is passed to the tx callback. Reported by Mattias Lundstrom. --- src/osmux.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/osmux.c b/src/osmux.c index 5cd586c..a2c123c 100644 --- a/src/osmux.c +++ b/src/osmux.c @@ -599,10 +599,9 @@ osmux_tx_sched(struct llist_head *list, LOGP(DLMIB, LOGL_DEBUG, "scheduled transmision in %lu.%6lu " "seconds, msg=%p\n", when.tv_sec, when.tv_usec, cur); - + llist_del(&cur->list); osmux_tx(cur, &when, tx_cb, data); timeradd(&when, &delta, &when); - llist_del(&cur->list); } } -- cgit v1.2.3