From b4d2499f43ab9f3f63f9560726bcb4f7284fc5fa Mon Sep 17 00:00:00 2001
From: Daniel Willmann <dwillmann@sysmocom.de>
Date: Tue, 30 Jan 2018 20:16:07 +0100
Subject: osmo-bsc_nat: Fix use-after-free issue in ctrl forwarding code

Ticket: SYS#3208
---
 openbsc/src/osmo-bsc_nat/bsc_nat_ctrl.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/openbsc/src/osmo-bsc_nat/bsc_nat_ctrl.c b/openbsc/src/osmo-bsc_nat/bsc_nat_ctrl.c
index 128ea6518..a1b6210e4 100644
--- a/openbsc/src/osmo-bsc_nat/bsc_nat_ctrl.c
+++ b/openbsc/src/osmo-bsc_nat/bsc_nat_ctrl.c
@@ -276,7 +276,8 @@ static int forward_to_bsc(struct ctrl_cmd *cmd)
 			}
 			pending->ccon = cmd->ccon;
 			pending->ccon->closed_cb = ctrl_conn_closed_cb;
-			pending->cmd = cmd;
+			/* Copy command since it will be free()d after we exit here */
+			pending->cmd = ctrl_cmd_cpy(pending, cmd);
 
 			/* Setup the timeout */
 			osmo_timer_setup(&pending->timeout, pending_timeout_cb,
-- 
cgit v1.2.3