diff options
| author | Neels Hofmeyr <neels@hofmeyr.de> | 2017-11-18 22:19:55 +0100 |
|---|---|---|
| committer | Neels Hofmeyr <nhofmeyr@sysmocom.de> | 2017-11-20 13:49:32 +0000 |
| commit | 1a5bcd5c3b3c84dbd1bf99fe08eaab51370fbef9 (patch) | |
| tree | e01fbaf5e66f4223ad430489c2ec347599bf8832 /include/osmocom/msc/vlr.h | |
| parent | c6bf27466ce66dfe3326e129713dbbdc8cdbf2af (diff) | |
sub_pres_vlr_fsm_start: fix heap use after free
When sub_pres_vlr_fsm_start() is called, it dispatches an event which may in
some cases already cause tear down and free of the parent FSM instance, after
which storing the returned instance pointer in that parent's metadata will use
freed memory. Instead, pass the target pointer to remember the instance at to
sub_pres_vlr_fsm_start() and assign the pointer *before* firing the event.
Explain so in a new comment.
I haven't checked whether that pointer is actually used at all -- this is the
easiest way to fix the use-after-free without getting sucked into semantic
questions.
Change-Id: Ibdc0b64cd12ba3e2b9737e3517d8484e67abcf04
Diffstat (limited to 'include/osmocom/msc/vlr.h')
| -rw-r--r-- | include/osmocom/msc/vlr.h | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/include/osmocom/msc/vlr.h b/include/osmocom/msc/vlr.h index d5306fa81..9e6b12c33 100644 --- a/include/osmocom/msc/vlr.h +++ b/include/osmocom/msc/vlr.h @@ -274,9 +274,10 @@ int vlr_start(const char *gsup_unit_name, struct vlr_instance *vlr, /* internal use only */ -struct osmo_fsm_inst *sub_pres_vlr_fsm_start(struct osmo_fsm_inst *parent, - struct vlr_subscr *vsub, - uint32_t term_event); +void sub_pres_vlr_fsm_start(struct osmo_fsm_inst **fsm, + struct osmo_fsm_inst *parent, + struct vlr_subscr *vsub, + uint32_t term_event); struct osmo_fsm_inst * upd_hlr_vlr_proc_start(struct osmo_fsm_inst *parent, struct vlr_subscr *vsub, |