nat: Fix crash (double-free) in forward_sccp_to_msc

In bsc_nat_parse(), parsed is allocated this way: """parsed = talloc_zero(msg, struct bsc_nat_parsed);""" So parsed is a child of msg, and so it's freed when msg is freed. Since libosmocore c7f52c4c84d6a8898048738c4db9266289c40b45, osmo_wqueue_enqueue() correctly detects queue full and returns an error, and then queue_for_msc() calls msgb_free(). Code in osmo-bsc-nat was probably written before that change in behavior, so that's why probably the bug was not hit before. The "if (parsed)" condition is removed since it's actually fine to talloc_free(NULL). Related: SYS#4548 Change-Id: I209d3e2d809a67915ec43c874e68f7f746a565f0
author: Pau Espin Pedrol <pespin@sysmocom.de> 2019-05-02 11:10:01 +0200
committer: Pau Espin Pedrol <pespin@sysmocom.de> 2019-05-08 09:42:23 +0000
commit: 7ab9a9eb50076e98cae0c978622d7be99d9d1b02 (patch)
tree: 4ee59bfec35815d73561548f04f1bd097bc86d8a
parent: 22a569f2ae7defc4eae62f0b1b6d790e412d9dc7 (diff)
1 files changed, 2 insertions, 2 deletions
diff --git a/openbsc/src/osmo-bsc_nat/bsc_nat.c b/openbsc/src/osmo-bsc_nat/bsc_nat.c
index c97483aee..30e4b3423 100644
--- a/openbsc/src/osmo-bsc_nat/bsc_nat.c
+++ b/openbsc/src/osmo-bsc_nat/bsc_nat.c
@@ -1281,9 +1281,9 @@ static int forward_sccp_to_msc(struct bsc_connection *bsc, struct msgb *msg, boo
 	}
 
 	/* send the non-filtered but maybe modified msg */
+	talloc_free(parsed);
 	queue_for_msc(con_msc, msg);
-	if (parsed)
-		talloc_free(parsed);
+
 	return 0;
 
 exit:
author	Pau Espin Pedrol <pespin@sysmocom.de>	2019-05-02 11:10:01 +0200
committer	Pau Espin Pedrol <pespin@sysmocom.de>	2019-05-08 09:42:23 +0000
commit	7ab9a9eb50076e98cae0c978622d7be99d9d1b02 (patch)
tree	4ee59bfec35815d73561548f04f1bd097bc86d8a
parent	22a569f2ae7defc4eae62f0b1b6d790e412d9dc7 (diff)