diff options
| author | Pau Espin Pedrol <pespin@sysmocom.de> | 2020-01-08 21:10:04 +0100 |
|---|---|---|
| committer | Pau Espin Pedrol <pespin@sysmocom.de> | 2020-01-08 21:10:08 +0100 |
| commit | 7ec4c1f0ee2e4e04248cbb2d276094f8cb05ba6b (patch) | |
| tree | c02731a4c481de17d2c813af91de84d59864e109 /src/sccp_user.c | |
| parent | a468af2c64a85978a1d5e394539e900e3b3a2050 (diff) | |
sua.c: Avoid double free in sua_rx_msg()->...->mtp_user_prim_cb()
Old commit of mine successfully fixed a memory leak, but apparently
after some more investigation it seems to have introduced a double free
of xua object in other code paths.
Nowadays, it seems scrc_rx_mtp_xfer_ind_xua() is called from 3 different places:
mtp_user_prim_cb()
sua_rx_cl()
sua_rx_co()
Before present patch, first caller is not freeing the xua message and my
old commit made scrc_rx_mtp_xfer_ind_xua() free it (by passing
ownsership of the object). But the other 2 callers do free the xua
object afterwards (actually the grandparent caller sua_rx_msg() does
it), which means it would double-free the xua object.
Let's move ownership out of scrc_rx_mtp_xfer_ind_xua() and let the
caller free the xua object (only changes need on the first caller). This
way everybody is happy and we keep the free() closer to the alloc().
Change-Id: Ia550b781b97adbdc0a0ad58a1075e5467e056f1e
Related: OS#4348
Fixes: 9c3baa89fb6b3fc1ef588930f361d013f98a1e39
Diffstat (limited to 'src/sccp_user.c')
| -rw-r--r-- | src/sccp_user.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/src/sccp_user.c b/src/sccp_user.c index 929445f..49cc212 100644 --- a/src/sccp_user.c +++ b/src/sccp_user.c @@ -174,6 +174,7 @@ static int mtp_user_prim_cb(struct osmo_prim_hdr *oph, void *ctx) xua->mtp = omp->u.transfer; /* hand this primitive into SCCP via the SCRC code */ rc = scrc_rx_mtp_xfer_ind_xua(inst, xua); + xua_msg_free(xua); break; default: LOGP(DLSCCP, LOGL_ERROR, "Unknown primitive %u:%u receivd\n", |