From b2fbdd023be07b7031e83ec79f67fc5c39aec423 Mon Sep 17 00:00:00 2001 From: Alexander Chemeris Date: Sat, 12 Sep 2015 00:08:03 -0400 Subject: l1sap: Fix use-after-free in loopback mode. By default l1sap_tch_ind() returns 0 which signals to its caller that message has been processed and can be freed. In case of loopback we're forwarding the message to dl_tch_queue who will free it later. Returning 1 from l1sap_tch_ind() prevents caller from freeing message. Change-Id: I1e065075baa51c88fa717f132e1f0a83df68be02 --- src/common/l1sap.c | 3 +++ 1 file changed, 3 insertions(+) (limited to 'src/common') diff --git a/src/common/l1sap.c b/src/common/l1sap.c index f4bc5ce0..553011f0 100644 --- a/src/common/l1sap.c +++ b/src/common/l1sap.c @@ -925,6 +925,9 @@ static int l1sap_tch_ind(struct gsm_bts_trx *trx, struct osmo_phsap_prim *l1sap, } msgb_enqueue(&lchan->dl_tch_queue, msg); + + /* Return 1 to signal that we're still using msg and it should not be freed */ + return 1; } lchan->rtp_tx_marker = false; -- cgit v1.2.3