aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorHolger Hans Peter Freyther <holger@moiji-mobile.com>2014-01-16 10:09:42 +0100
committerHolger Hans Peter Freyther <holger@moiji-mobile.com>2014-01-16 10:09:42 +0100
commit3d0cc2f97d7b559c2fd787915314e81cba92c528 (patch)
treee8b09c1fa0a602f50b8c0e97e0900c9bacbc417e
parenta0047996990214c72ab20d7a0614d8790f4b9634 (diff)
tbf: Make finding use-after-free more easy and set to NULL or return
Make finding use-after-free more easy by setting things to NULL or simply return after tbf_free(this) has been called.
-rw-r--r--src/bts.cpp1
-rw-r--r--src/tbf.cpp4
2 files changed, 5 insertions, 0 deletions
diff --git a/src/bts.cpp b/src/bts.cpp
index 7c60452c..ff16e296 100644
--- a/src/bts.cpp
+++ b/src/bts.cpp
@@ -851,6 +851,7 @@ void gprs_rlcmac_pdch::rcv_resource_request(Packet_Resource_Request_t *request,
"Killing pending DL TBF\n", tlli,
tbf_name(dl_tbf));
tbf_free(dl_tbf);
+ dl_tbf = NULL;
}
LOGP(DRLCMAC, LOGL_DEBUG, "MS requests UL TBF "
"in packet resource request of single "
diff --git a/src/tbf.cpp b/src/tbf.cpp
index cac807ce..1568720d 100644
--- a/src/tbf.cpp
+++ b/src/tbf.cpp
@@ -568,6 +568,7 @@ void gprs_rlcmac_tbf::handle_timeout()
LOGP(DRLCMAC, LOGL_NOTICE, "%s releasing due to "
"PACCH assignment timeout.\n", tbf_name(this));
tbf_free(this);
+ return;
} else
LOGP(DRLCMAC, LOGL_ERROR, "Error: %s is not "
"in assign state\n", tbf_name(this));
@@ -595,6 +596,7 @@ void gprs_rlcmac_tbf::handle_timeout()
"%s will be freed due to timeout\n", tbf_name(this));
/* free TBF */
tbf_free(this);
+ return;
break;
default:
LOGP(DRLCMAC, LOGL_ERROR,
@@ -1531,6 +1533,7 @@ int gprs_rlcmac_tbf::extract_tlli(const uint8_t *data, const size_t len)
"Killing pending DL TBF\n", tlli(),
tbf_name(dl_tbf));
tbf_free(dl_tbf);
+ dl_tbf = NULL;
}
/* tbf_by_tlli will not find your TLLI, because it is not
* yet marked valid */
@@ -1540,6 +1543,7 @@ int gprs_rlcmac_tbf::extract_tlli(const uint8_t *data, const size_t len)
"Killing pending UL TBF\n", tlli(),
tbf_name(ul_tbf));
tbf_free(ul_tbf);
+ ul_tbf = NULL;
}
/* mark TLLI valid now */
tlli_mark_valid();