diff options
| author | Alexander Chemeris <Alexander.Chemeris@gmail.com> | 2015-09-12 00:08:03 -0400 |
|---|---|---|
| committer | Alexander Chemeris <Alexander.Chemeris@gmail.com> | 2016-11-14 17:40:34 -0800 |
| commit | b2fbdd023be07b7031e83ec79f67fc5c39aec423 (patch) | |
| tree | f9e3664041d5d3ac6a6831f505011cc509f6cfe5 | |
| parent | 66325aee71e23e01492935b6253031bcd7233aa4 (diff) | |
l1sap: Fix use-after-free in loopback mode.
By default l1sap_tch_ind() returns 0 which signals to its caller that message
has been processed and can be freed. In case of loopback we're forwarding
the message to dl_tch_queue who will free it later. Returning 1 from
l1sap_tch_ind() prevents caller from freeing message.
Change-Id: I1e065075baa51c88fa717f132e1f0a83df68be02
| -rw-r--r-- | src/common/l1sap.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/src/common/l1sap.c b/src/common/l1sap.c index f4bc5ce0..553011f0 100644 --- a/src/common/l1sap.c +++ b/src/common/l1sap.c @@ -925,6 +925,9 @@ static int l1sap_tch_ind(struct gsm_bts_trx *trx, struct osmo_phsap_prim *l1sap, } msgb_enqueue(&lchan->dl_tch_queue, msg); + + /* Return 1 to signal that we're still using msg and it should not be freed */ + return 1; } lchan->rtp_tx_marker = false; |