aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorHarald Welte <laforge@gnumonks.org>2018-04-14 20:53:36 +0200
committerHarald Welte <laforge@gnumonks.org>2018-04-14 20:57:42 +0200
commit37a3ae8585df2d7b8d849b194705e3ef0d2e0f6e (patch)
treee75a7ed8a7048bb0ac5e77448eea74e9bab409a0
parentce96928e121fb59ad28e89b3987eaab1566c9a32 (diff)
sms_queue: fix use-after-free on 'pending'
This bug is super obvious: We cannot first call sms_pending_free(pending) and then in the next line still dereference the pending->sms_id member. This bug was introduced in January with Change-Id: I3749855fe25d9d4e37ec96b0c2bffbc692b66a78 and apparently nobody has tested any MT-SMS with asan enabled since? Change-Id: Ibf17f270cdeb8153036eda3de274dd163bbff7e6 Closes: OS#3152
Diffstat
-rw-r--r--src/libmsc/sms_queue.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/src/libmsc/sms_queue.c b/src/libmsc/sms_queue.c
index 7d59787f7..ed111231d 100644
--- a/src/libmsc/sms_queue.c
+++ b/src/libmsc/sms_queue.c
@@ -480,8 +480,8 @@ static int sms_sms_cb(unsigned int subsys, unsigned int signal,
/* Remember the subscriber and clear the pending entry */
network->sms_queue->pending -= 1;
vsub = vlr_subscr_get(pending->vsub);
- sms_pending_free(pending);
db_sms_delete_sent_message_by_id(pending->sms_id);
+ sms_pending_free(pending);
/* Attempt to send another SMS to this subscriber */
sms_send_next(vsub);
vlr_subscr_put(vsub);
generated by cgit v1.2.3 (git 2.25.1) at 2024-04-19 01:01:44 +0000