diff options
author | Philipp Maier <pmaier@sysmocom.de> | 2020-10-02 17:35:25 +0200 |
---|---|---|
committer | Philipp Maier <pmaier@sysmocom.de> | 2020-10-02 17:38:12 +0200 |
commit | ef6205ba00f3197803c05265d9abd1c64c24507d (patch) | |
tree | 2736c4d6f1ec4053e65ea269e08c9e2b598a046f | |
parent | 86336af2a3240b7414b2993d4ee58b0f4e671f9f (diff) |
gprs_sndcp: fix use after free
When compression is turned on, an extra buffer "expnd" is allocated in
the context of msg. This means that when msg is freed, expnd is freed as
well and there is no need for freein it explcicitly, which, when it is
done after freeng msg, causes talloc to abort.
Change-Id: I8959b75e241ffabf9fa34c4cf014721584372b26
-rw-r--r-- | src/sgsn/gprs_sndcp.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/src/sgsn/gprs_sndcp.c b/src/sgsn/gprs_sndcp.c index 7ce69600d..19d87121e 100644 --- a/src/sgsn/gprs_sndcp.c +++ b/src/sgsn/gprs_sndcp.c @@ -370,8 +370,8 @@ static int defrag_segments(struct gprs_sndcp_entity *sne) * downwards in the call above */ msgb_free(msg); - if (any_pcomp_or_dcomp_active(sgsn)) - talloc_free(expnd); + /* Note: We do not have to free expnd explicitly, because it is created + * within the talloc context of msg, which we just freed. */ return rc; } |