diff options
author | Pau Espin Pedrol <pespin@sysmocom.de> | 2018-04-11 17:48:18 +0200 |
---|---|---|
committer | Pau Espin Pedrol <pespin@sysmocom.de> | 2018-04-11 17:55:38 +0200 |
commit | 77c6e48cb9f9fa69ad23752759415a8438964601 (patch) | |
tree | 5de23b5bedbc206d9b1db910a0fe58bb0cdbefe8 | |
parent | 4d7bab009e5c42bdb5ae418a9cc9bd10b831c383 (diff) |
bsc_nat: ctrl: Fix crash on receveing bsc reply
Since libosmocore 7c0031fc8063771e604976233fb7b46d2b85c077, the cmd
param passed to handlers in ctrl_handle_msg is always freed afterwards,
thus it is owned by the same function. Avoid keeping it alive and
accessing it later when it has already been freed.
Related: OS#3157
Change-Id: Ib1e1fb79746d4a4f3e30254fdb7a7e851c2cd0e4
-rw-r--r-- | openbsc/src/osmo-bsc_nat/bsc_nat_ctrl.c | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/openbsc/src/osmo-bsc_nat/bsc_nat_ctrl.c b/openbsc/src/osmo-bsc_nat/bsc_nat_ctrl.c index 22c360878..61ac8870a 100644 --- a/openbsc/src/osmo-bsc_nat/bsc_nat_ctrl.c +++ b/openbsc/src/osmo-bsc_nat/bsc_nat_ctrl.c @@ -79,7 +79,6 @@ void bsc_nat_ctrl_del_pending(struct bsc_cmd_list *pending) { llist_del(&pending->list_entry); osmo_timer_del(&pending->timeout); - talloc_free(pending->cmd); talloc_free(pending); } @@ -275,8 +274,15 @@ static int forward_to_bsc(struct ctrl_cmd *cmd) cmd->reply = "Sending failed"; goto err; } + + /* caller owns cmd param and will destroy it after we return */ + pending->cmd = ctrl_cmd_cpy(pending, cmd); + if (!pending->cmd) { + cmd->reply = "Could not answer command"; + goto err; + } cmd->ccon->closed_cb = ctrl_conn_closed_cb; - pending->cmd = cmd; + pending->cmd->ccon = cmd->ccon; /* Setup the timeout */ osmo_timer_setup(&pending->timeout, pending_timeout_cb, |