rsl: fix double-free in rsl_rx_mode_modif()

When the RSL_IE_CHAN_MODE is is missing, then the message buffer is freed and the channel mode modify is nacked using return rsl_tx_mode_modif_nack() The function rsl_tx_mode_modif_nack uses abis_bts_rsl_sendmsg() which returns 0 on success. This eventually leads into a double- free in rsl_rx_dchan() which frees the message buffer on all return codes except 1. - Remove the excess msgb_free() in the error handling path. Change-Id: I946a927ba35aa115520b1248eefccd91832f69f6
author: Philipp Maier <pmaier@sysmocom.de> 2018-01-26 10:23:20 +0100
committer: Philipp Maier <pmaier@sysmocom.de> 2018-01-26 12:42:04 +0100
commit: 7d62629ca2a8e0b467d650bc4fed3c66178d7171 (patch)
tree: 71e4d7e979005ffb6422e66d80f0a289425d5621
parent: 75d0fcdfcd4dec0e3d11127a7982014b5d3bf660 (diff)
1 files changed, 0 insertions, 1 deletions
diff --git a/src/common/rsl.c b/src/common/rsl.c
index 88e240ac..1f45cc60 100644
--- a/src/common/rsl.c
+++ b/src/common/rsl.c
@@ -1283,7 +1283,6 @@ static int rsl_rx_mode_modif(struct msgb *msg)
 	/* 9.3.6 Channel Mode */
 	if (!TLVP_PRESENT(&tp, RSL_IE_CHAN_MODE)) {
 		LOGP(DRSL, LOGL_NOTICE, "missing Channel Mode\n");
-		msgb_free(msg);
 		return rsl_tx_mode_modif_nack(lchan, RSL_ERR_MAND_IE_ERROR);
 	}
 	cm = (struct rsl_ie_chan_mode *) TLVP_VAL(&tp, RSL_IE_CHAN_MODE);
author	Philipp Maier <pmaier@sysmocom.de>	2018-01-26 10:23:20 +0100
committer	Philipp Maier <pmaier@sysmocom.de>	2018-01-26 12:42:04 +0100
commit	7d62629ca2a8e0b467d650bc4fed3c66178d7171 (patch)
tree	71e4d7e979005ffb6422e66d80f0a289425d5621
parent	75d0fcdfcd4dec0e3d11127a7982014b5d3bf660 (diff)