diff options
| author | Vadim Yanitskiy <axilirator@gmail.com> | 2019-05-02 15:44:54 +0200 |
|---|---|---|
| committer | Vadim Yanitskiy <axilirator@gmail.com> | 2019-05-03 00:34:40 +0200 |
| commit | e8c179a5755b2429fcaeb43430672f1587d56931 (patch) | |
| tree | e3817860cf061cd10ce600df60d6944d66953550 /src/host/layer23/include/osmocom/bb/mobile/app_mobile.h | |
| parent | b4bd78a8eedda7b87b24f4b8bbd4441eb11ec31c (diff) | |
mobile/gsm322.c: fix heap-use-after-free in gsm322_unselect_cell()
In gsm322_l1_signal(), if S_L1CTL_FBSB_ERR is received, we free
stored System Information of the current cell, but cs->si may
still point to it. Let's set it to NULL.
Found with AddressSanitizer:
DL1C ERROR l1ctl.c:96 FBSB RESP: result=255
DCS INFO gsm322.c:2995 Channel sync error, try again
DCS INFO gsm322.c:467 Sync to ARFCN=860(DCS) rxlev=-106
DRR INFO gsm48_rr.c:665 MON: no cell info
DRR INFO gsm48_rr.c:665 MON: no cell info
DRR INFO gsm48_rr.c:665 MON: no cell info
DRR INFO gsm48_rr.c:665 MON: no cell info
DL1C ERROR l1ctl.c:96 FBSB RESP: result=255
DCS INFO gsm322.c:3008 Channel sync error.
DCS DEBUG gsm322.c:3013 free sysinfo ARFCN=860(DCS)
DCS INFO gsm322.c:3020 Unselect cell due to sync error!
DCS INFO gsm322.c:509 Unselecting serving cell.
=================================================================
==6014==ERROR: AddressSanitizer: heap-use-after-free on address
0x61b0000000e6 at pc 0x00000050d6dd
bp 0x7fff7f84aa60 sp 0x7fff7f84aa58
Change-Id: I9cc526c18d69695d810de98703579818408de011
Diffstat (limited to 'src/host/layer23/include/osmocom/bb/mobile/app_mobile.h')
0 files changed, 0 insertions, 0 deletions