diff options
author | Holger Hans Peter Freyther <holger@moiji-mobile.com> | 2014-01-16 10:09:42 +0100 |
---|---|---|
committer | Holger Hans Peter Freyther <holger@moiji-mobile.com> | 2014-01-16 10:09:42 +0100 |
commit | 3d0cc2f97d7b559c2fd787915314e81cba92c528 (patch) | |
tree | e8b09c1fa0a602f50b8c0e97e0900c9bacbc417e | |
parent | a0047996990214c72ab20d7a0614d8790f4b9634 (diff) |
tbf: Make finding use-after-free more easy and set to NULL or return
Make finding use-after-free more easy by setting things to NULL
or simply return after tbf_free(this) has been called.
-rw-r--r-- | src/bts.cpp | 1 | ||||
-rw-r--r-- | src/tbf.cpp | 4 |
2 files changed, 5 insertions, 0 deletions
diff --git a/src/bts.cpp b/src/bts.cpp index 7c60452c..ff16e296 100644 --- a/src/bts.cpp +++ b/src/bts.cpp @@ -851,6 +851,7 @@ void gprs_rlcmac_pdch::rcv_resource_request(Packet_Resource_Request_t *request, "Killing pending DL TBF\n", tlli, tbf_name(dl_tbf)); tbf_free(dl_tbf); + dl_tbf = NULL; } LOGP(DRLCMAC, LOGL_DEBUG, "MS requests UL TBF " "in packet resource request of single " diff --git a/src/tbf.cpp b/src/tbf.cpp index cac807ce..1568720d 100644 --- a/src/tbf.cpp +++ b/src/tbf.cpp @@ -568,6 +568,7 @@ void gprs_rlcmac_tbf::handle_timeout() LOGP(DRLCMAC, LOGL_NOTICE, "%s releasing due to " "PACCH assignment timeout.\n", tbf_name(this)); tbf_free(this); + return; } else LOGP(DRLCMAC, LOGL_ERROR, "Error: %s is not " "in assign state\n", tbf_name(this)); @@ -595,6 +596,7 @@ void gprs_rlcmac_tbf::handle_timeout() "%s will be freed due to timeout\n", tbf_name(this)); /* free TBF */ tbf_free(this); + return; break; default: LOGP(DRLCMAC, LOGL_ERROR, @@ -1531,6 +1533,7 @@ int gprs_rlcmac_tbf::extract_tlli(const uint8_t *data, const size_t len) "Killing pending DL TBF\n", tlli(), tbf_name(dl_tbf)); tbf_free(dl_tbf); + dl_tbf = NULL; } /* tbf_by_tlli will not find your TLLI, because it is not * yet marked valid */ @@ -1540,6 +1543,7 @@ int gprs_rlcmac_tbf::extract_tlli(const uint8_t *data, const size_t len) "Killing pending UL TBF\n", tlli(), tbf_name(ul_tbf)); tbf_free(ul_tbf); + ul_tbf = NULL; } /* mark TLLI valid now */ tlli_mark_valid(); |