diff options
author | Vadim Yanitskiy <axilirator@gmail.com> | 2019-05-02 15:44:54 +0200 |
---|---|---|
committer | Vadim Yanitskiy <axilirator@gmail.com> | 2019-05-03 00:34:40 +0200 |
commit | e8c179a5755b2429fcaeb43430672f1587d56931 (patch) | |
tree | e3817860cf061cd10ce600df60d6944d66953550 /src/host/layer23/src/mobile/gsm322.c | |
parent | b4bd78a8eedda7b87b24f4b8bbd4441eb11ec31c (diff) |
mobile/gsm322.c: fix heap-use-after-free in gsm322_unselect_cell()
In gsm322_l1_signal(), if S_L1CTL_FBSB_ERR is received, we free
stored System Information of the current cell, but cs->si may
still point to it. Let's set it to NULL.
Found with AddressSanitizer:
DL1C ERROR l1ctl.c:96 FBSB RESP: result=255
DCS INFO gsm322.c:2995 Channel sync error, try again
DCS INFO gsm322.c:467 Sync to ARFCN=860(DCS) rxlev=-106
DRR INFO gsm48_rr.c:665 MON: no cell info
DRR INFO gsm48_rr.c:665 MON: no cell info
DRR INFO gsm48_rr.c:665 MON: no cell info
DRR INFO gsm48_rr.c:665 MON: no cell info
DL1C ERROR l1ctl.c:96 FBSB RESP: result=255
DCS INFO gsm322.c:3008 Channel sync error.
DCS DEBUG gsm322.c:3013 free sysinfo ARFCN=860(DCS)
DCS INFO gsm322.c:3020 Unselect cell due to sync error!
DCS INFO gsm322.c:509 Unselecting serving cell.
=================================================================
==6014==ERROR: AddressSanitizer: heap-use-after-free on address
0x61b0000000e6 at pc 0x00000050d6dd
bp 0x7fff7f84aa60 sp 0x7fff7f84aa58
Change-Id: I9cc526c18d69695d810de98703579818408de011
Diffstat (limited to 'src/host/layer23/src/mobile/gsm322.c')
-rw-r--r-- | src/host/layer23/src/mobile/gsm322.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/src/host/layer23/src/mobile/gsm322.c b/src/host/layer23/src/mobile/gsm322.c index 7da63e32..bfe63296 100644 --- a/src/host/layer23/src/mobile/gsm322.c +++ b/src/host/layer23/src/mobile/gsm322.c @@ -3011,6 +3011,8 @@ int gsm322_l1_signal(unsigned int subsys, unsigned int signal, cs->list[cs->arfci].flags &= ~GSM322_CS_FLAG_SYSINFO; LOGP(DCS, LOGL_DEBUG, "free sysinfo ARFCN=%s\n", gsm_print_arfcn(index2arfcn(cs->arfci))); + if (cs->si == cs->list[cs->arfci].sysinfo) + cs->si = NULL; talloc_free(cs->list[cs->arfci].sysinfo); cs->list[cs->arfci].sysinfo = NULL; |