gprs_sndcp: fix use after free

When compression is turned on, an extra buffer "expnd" is allocated in the context of msg. This means that when msg is freed, expnd is freed as well and there is no need for freein it explcicitly, which, when it is done after freeng msg, causes talloc to abort. Change-Id: I8959b75e241ffabf9fa34c4cf014721584372b26
author: Philipp Maier <pmaier@sysmocom.de> 2020-10-02 17:35:25 +0200
committer: Philipp Maier <pmaier@sysmocom.de> 2020-10-02 17:38:12 +0200
commit: ef6205ba00f3197803c05265d9abd1c64c24507d (patch)
tree: 2736c4d6f1ec4053e65ea269e08c9e2b598a046f /src/sgsn/gprs_sndcp.c
parent: 86336af2a3240b7414b2993d4ee58b0f4e671f9f (diff)
1 files changed, 2 insertions, 2 deletions
diff --git a/src/sgsn/gprs_sndcp.c b/src/sgsn/gprs_sndcp.c
index 7ce69600d..19d87121e 100644
--- a/src/sgsn/gprs_sndcp.c
+++ b/src/sgsn/gprs_sndcp.c
@@ -370,8 +370,8 @@ static int defrag_segments(struct gprs_sndcp_entity *sne)
 	 * downwards in the call above */
 	msgb_free(msg);
 
-	if (any_pcomp_or_dcomp_active(sgsn))
-		talloc_free(expnd);
+	/* Note: We do not have to free expnd explicitly, because it is created
+	 * within the talloc context of msg, which we just freed. */
 
 	return rc;
 }
author	Philipp Maier <pmaier@sysmocom.de>	2020-10-02 17:35:25 +0200
committer	Philipp Maier <pmaier@sysmocom.de>	2020-10-02 17:38:12 +0200
commit	ef6205ba00f3197803c05265d9abd1c64c24507d (patch)
tree	2736c4d6f1ec4053e65ea269e08c9e2b598a046f /src/sgsn/gprs_sndcp.c
parent	86336af2a3240b7414b2993d4ee58b0f4e671f9f (diff)