diff options
author | Pau Espin Pedrol <pespin@sysmocom.de> | 2019-05-02 11:10:01 +0200 |
---|---|---|
committer | Pau Espin Pedrol <pespin@sysmocom.de> | 2019-05-08 09:42:23 +0000 |
commit | 7ab9a9eb50076e98cae0c978622d7be99d9d1b02 (patch) | |
tree | 4ee59bfec35815d73561548f04f1bd097bc86d8a /openbsc/src/osmo-bsc_nat/bsc_ussd.c | |
parent | 22a569f2ae7defc4eae62f0b1b6d790e412d9dc7 (diff) |
nat: Fix crash (double-free) in forward_sccp_to_msc
In bsc_nat_parse(), parsed is allocated this way:
"""parsed = talloc_zero(msg, struct bsc_nat_parsed);"""
So parsed is a child of msg, and so it's freed when msg is freed.
Since libosmocore c7f52c4c84d6a8898048738c4db9266289c40b45,
osmo_wqueue_enqueue() correctly detects queue full and returns an error,
and then queue_for_msc() calls msgb_free(). Code in osmo-bsc-nat was
probably written before that change in behavior, so that's why probably
the bug was not hit before.
The "if (parsed)" condition is removed since it's actually fine to
talloc_free(NULL).
Related: SYS#4548
Change-Id: I209d3e2d809a67915ec43c874e68f7f746a565f0
Diffstat (limited to 'openbsc/src/osmo-bsc_nat/bsc_ussd.c')
0 files changed, 0 insertions, 0 deletions