cbch: Fix dangling cur_msg leading to double-free in bts_cbch_reset()

If a new default message is installed via RSL, and the old default message is currently being transmitted, we must set cur_msg to NULL. The old default message must be talloc_free()d unconditionally whenever a new default message is being set. We can do that by using the TALLOC_FREE macro. Change-Id: Id32c2074b61cd1f09957b9d1558ffb3a7691a8e0 Related: OS#5325
author: Harald Welte <laforge@osmocom.org> 2021-11-24 14:47:23 +0100
committer: Harald Welte <laforge@osmocom.org> 2021-11-24 20:02:42 +0100
commit: cf12cee46cae64859f43b8e78002a1654cb901cd (patch)
tree: f7b1ace913ee178cf9c996e62bebf21f677fc3e6 /src
parent: 79f21c4ed172eadf1e3b046446cdec48ccce6a99 (diff)
1 files changed, 3 insertions, 3 deletions
diff --git a/src/common/cbch.c b/src/common/cbch.c
index a3e12961..f1f8b6a6 100644
--- a/src/common/cbch.c
+++ b/src/common/cbch.c
@@ -233,10 +233,10 @@ int bts_process_smscb_cmd(struct gsm_bts *bts, struct rsl_ie_cb_cmd_type cmd_typ
 		rate_ctr_inc2(bts_ss->ctrs, CBCH_CTR_RCVD_QUEUED);
 		break;
 	case RSL_CB_CMD_TYPE_DEFAULT:
-		/* old default msg will be free'd in get_smscb_block() if it is currently in transit
-		 * and we set a new default_msg here */
+		/* clear the cur_msg pointer if it is the old default message */
 		if (bts_ss->cur_msg && bts_ss->cur_msg == bts_ss->default_msg)
-			talloc_free(bts_ss->cur_msg);
+			bts_ss->cur_msg = NULL;
+		talloc_free(bts_ss->default_msg);
 		if (cmd_type.def_bcast == RSL_CB_CMD_DEFBCAST_NORMAL)
 			/* def_bcast == 0: normal message */
 			bts_ss->default_msg = scm;
author	Harald Welte <laforge@osmocom.org>	2021-11-24 14:47:23 +0100
committer	Harald Welte <laforge@osmocom.org>	2021-11-24 20:02:42 +0100
commit	cf12cee46cae64859f43b8e78002a1654cb901cd (patch)
tree	f7b1ace913ee178cf9c996e62bebf21f677fc3e6 /src
parent	79f21c4ed172eadf1e3b046446cdec48ccce6a99 (diff)