diff options
| author | Pau Espin Pedrol <pespin@sysmocom.de> | 2021-06-30 16:03:06 +0200 |
|---|---|---|
| committer | Pau Espin Pedrol <pespin@sysmocom.de> | 2021-07-01 13:09:10 +0200 |
| commit | 4f67a9bf4610c9e948f0d81f3b039f36675180a3 (patch) | |
| tree | bf7f2aca513c0df2f2eaf2f4772a779e2558898b /src/pdch_ul_controller.c | |
| parent | 1989a190664ca1d4169c80336b2ecc00426c84f1 (diff) | |
pdch: Fix heap-use-after-free in pdch->ulc
In existing previous code, pdch->ulc would be freed in
gprs_rlcmac_pdch::free_resources() when it became disabled as per PCUIF
info_ind (for instance, when a DYN TS is switched PDCH->SDCCH8).
However, pdch->ulc was so far only allocated during pdch_init, which is
only called during bts_alloc() time.
Hence, after first info_ind disabling it, if it became again enabled
(again by info_ind re-enabling it after SDCCH8 was not longer in use),
the pdch->ulc would be used again but it would point to freed memory.
Let's rearrange how/when resources are freed to make it more logical.
With this patch, pdch internal resources are freed upon ->disable(), and
re-allocated upon ->enable().
Change-Id: Id51f5f6a54ac9f24b784c17bc360ac38f5726fc7
Diffstat (limited to 'src/pdch_ul_controller.c')
0 files changed, 0 insertions, 0 deletions