diff options
| author | Pau Espin Pedrol <pespin@sysmocom.de> | 2018-04-11 18:05:38 +0200 |
|---|---|---|
| committer | Pau Espin Pedrol <pespin@sysmocom.de> | 2018-04-16 13:28:34 +0200 |
| commit | fe49bf0c149d2283c32a373e71b3424e431662fb (patch) | |
| tree | 71f876fba1f40ca8d24fc3b5e86ccb31f69cda77 /src | |
| parent | 3ddb12d52e7f12dee1823d20ec4a2e99172d1db2 (diff) | |
bsc_nat: ctrl: Fix crash on receveing bsc reply
Since libosmocore 7c0031fc8063771e604976233fb7b46d2b85c077, the cmd
param passed to handlers in ctrl_handle_msg is always freed afterwards,
thus it is owned by the same function. Avoid keeping it alive and
accessing it later when it has already been freed.
Related: OS#3157
Change-Id: I764917f641b170597e405f1865b0f7b94bae1597
Diffstat (limited to 'src')
| -rw-r--r-- | src/osmo-bsc_nat/bsc_nat_ctrl.c | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/src/osmo-bsc_nat/bsc_nat_ctrl.c b/src/osmo-bsc_nat/bsc_nat_ctrl.c index 7df3ca3ab..75c0dfaa5 100644 --- a/src/osmo-bsc_nat/bsc_nat_ctrl.c +++ b/src/osmo-bsc_nat/bsc_nat_ctrl.c @@ -80,7 +80,6 @@ void bsc_nat_ctrl_del_pending(struct bsc_cmd_list *pending) { llist_del(&pending->list_entry); osmo_timer_del(&pending->timeout); - talloc_free(pending->cmd); talloc_free(pending); } @@ -276,8 +275,15 @@ static int forward_to_bsc(struct ctrl_cmd *cmd) cmd->reply = "Sending failed"; goto err; } + + /* caller owns cmd param and will destroy it after we return */ + pending->cmd = ctrl_cmd_cpy(pending, cmd); + if (!pending->cmd) { + cmd->reply = "Could not answer command"; + goto err; + } cmd->ccon->closed_cb = ctrl_conn_closed_cb; - pending->cmd = cmd; + pending->cmd->ccon = cmd->ccon; /* Setup the timeout */ osmo_timer_setup(&pending->timeout, pending_timeout_cb, |