diff options
| author | Harald Welte <laforge@osmocom.org> | 2021-11-24 20:00:29 +0100 |
|---|---|---|
| committer | Harald Welte <laforge@osmocom.org> | 2021-11-24 20:02:42 +0100 |
| commit | 79f21c4ed172eadf1e3b046446cdec48ccce6a99 (patch) | |
| tree | 5a3320cb0a0a8b15e901c378ecd156dc49a06fe6 | |
| parent | 40e97f3d024c7c73db2b9ea5dff4131f11d5cc3e (diff) | |
cbch: Fix bts_smscb_state_reset() to avoid double-free
If the currently transmitted message is the default message,
bts_ss->cur_msg == bts_ss->derfault_msg. In this case we cannot
simply talloc_free() both of them, as it would result in a boudle-free.
Change-Id: I2d3645e34d31507b012a53ffe12d14223682f808
Closes: OS#5325
Fixes: Ib01d38c59ba9fa083fcc0682009c13d2db3664fe
| -rw-r--r-- | src/common/cbch.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/src/common/cbch.c b/src/common/cbch.c index addd68c9..a3e12961 100644 --- a/src/common/cbch.c +++ b/src/common/cbch.c @@ -332,7 +332,10 @@ static void bts_smscb_state_reset(struct bts_smscb_state *bts_ss) } bts_ss->queue_len = 0; rate_ctr_group_reset(bts_ss->ctrs); - TALLOC_FREE(bts_ss->cur_msg); + /* avoid double-free of default_msg in case cur_msg == default_msg */ + if (bts_ss->cur_msg && bts_ss->cur_msg != bts_ss->default_msg) + talloc_free(bts_ss->cur_msg); + bts_ss->cur_msg = NULL; TALLOC_FREE(bts_ss->default_msg); } |