summaryrefslogtreecommitdiffstats
path: root/src/host/layer23/src
diff options
context:
space:
mode:
authorVadim Yanitskiy <axilirator@gmail.com>2020-03-01 00:39:05 +0700
committerVadim Yanitskiy <axilirator@gmail.com>2020-03-01 02:22:13 +0700
commit60ce34575542b5a73d967991ba66a792e5fdc0f2 (patch)
treeecd756a5b0be9facd7129e02476fbc88c454b044 /src/host/layer23/src
parentc083e2ce90e0075db7f1ca8498e6223e5d3ed43f (diff)
mobile/gsm322: fix use-after-free of cs->si reported by ASan
This pointer cs->si stores an address to the System Information of a currently selected cell. When we release System Information, ensure that it does not point to free()d memory. Change-Id: Ife2ddf7274a48447a9ded9035f9dd01befaf2e6c
Diffstat (limited to 'src/host/layer23/src')
-rw-r--r--src/host/layer23/src/mobile/gsm322.c7
1 files changed, 7 insertions, 0 deletions
diff --git a/src/host/layer23/src/mobile/gsm322.c b/src/host/layer23/src/mobile/gsm322.c
index ddb3a77a..cc4f0cd0 100644
--- a/src/host/layer23/src/mobile/gsm322.c
+++ b/src/host/layer23/src/mobile/gsm322.c
@@ -2635,6 +2635,8 @@ static int gsm322_c_camp_sysinfo_bcch(struct osmocom_ms *ms, struct msgb *msg)
if (cs->list[cs->arfci].sysinfo) {
LOGP(DCS, LOGL_DEBUG, "free sysinfo arfcn=%s\n",
gsm_print_arfcn(cs->arfcn));
+ if (cs->si == cs->list[cs->arfci].sysinfo)
+ cs->si = NULL;
talloc_free(cs->list[cs->arfci].sysinfo);
cs->list[cs->arfci].sysinfo = NULL;
}
@@ -2752,6 +2754,8 @@ static void gsm322_cs_timeout(void *arg)
if (cs->list[cs->arfci].sysinfo) {
LOGP(DCS, LOGL_DEBUG, "free sysinfo arfcn=%s\n",
gsm_print_arfcn(cs->arfcn));
+ if (cs->si == cs->list[cs->arfci].sysinfo)
+ cs->si = NULL;
talloc_free(cs->list[cs->arfci].sysinfo);
cs->list[cs->arfci].sysinfo = NULL;
}
@@ -2919,6 +2923,8 @@ int gsm322_l1_signal(unsigned int subsys, unsigned int signal,
cs->list[i].flags &= ~GSM322_CS_FLAG_SYSINFO;
LOGP(DCS, LOGL_DEBUG, "free sysinfo ARFCN=%s\n",
gsm_print_arfcn(index2arfcn(i)));
+ if (cs->si == cs->list[i].sysinfo)
+ cs->si = NULL;
talloc_free(cs->list[i].sysinfo);
cs->list[i].sysinfo = NULL;
}
@@ -5145,6 +5151,7 @@ int gsm322_exit(struct osmocom_ms *ms)
gsm_print_arfcn(index2arfcn(i)));
talloc_free(cs->list[i].sysinfo);
cs->list[i].sysinfo = NULL;
+ cs->si = NULL;
}
cs->list[i].flags = 0;
}
generated by cgit v1.2.3 (git 2.25.1) at 2024-04-24 16:44:15 +0000