From 44d92b472825ae51bc349a91c04c2547f6544a0f Mon Sep 17 00:00:00 2001
From: Holger Hans Peter Freyther <zecke@selfish.org>
Date: Fri, 2 Apr 2010 03:28:30 +0200
Subject: bsc_msc_ip.c: Return after having freed the msgb

When reading MGCP is failing (e.g. because the udp socket
is not connected yet) we would have freed the msgb but we
didn't return and then executed msgb_put on a dead buffer.
---
 openbsc/src/bsc_msc_ip.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

(limited to 'openbsc')

diff --git a/openbsc/src/bsc_msc_ip.c b/openbsc/src/bsc_msc_ip.c
index 166726342..535445a4a 100644
--- a/openbsc/src/bsc_msc_ip.c
+++ b/openbsc/src/bsc_msc_ip.c
@@ -603,9 +603,14 @@ static int mgcp_do_read(struct bsc_fd *fd)
 
 	ret = read(fd->fd, mgcp->data, mgcp->len);
 	if (ret <= 0) {
-		LOGP(DMGCP, LOGL_ERROR, "Failed to read: %d\n", errno);
+		LOGP(DMGCP, LOGL_ERROR, "Failed to read: %d/%s\n", errno, strerror(errno));
 		msgb_free(mgcp);
-	}
+		return -1;
+	} else if (ret > 4096 - 128) {
+		LOGP(DMGCP, LOGL_ERROR, "Too much data: %d\n", ret);
+		msgb_free(mgcp);
+		return -1; 
+        }
 
 	msgb_put(mgcp, ret);
 	msc_queue_write(mgcp, NAT_IPAC_PROTO_MGCP);
-- 
cgit v1.2.3