laforge has submitted this change. (
https://gerrit.osmocom.org/c/osmo-msc/+/28125 )
Change subject: smpp: Fix use-after-free bug when ESME disconnects but has
write pending
......................................................................
smpp: Fix use-after-free bug when ESME disconnects but has write pending
When the SMPP code free's an ESME it also free's the related write_queue
and the osmo_fd contained therein. So if this happens while we are
in esme_link_read_cb(), we must return -EBADF to make
osmo_wqueue_bfd_cb() of libosmocore avoid further accessing related
memory.
Change-Id: I441d3b05c2f2556c530783a7f66c73adf6d845a1
Closes: OS#5565
---
M src/libmsc/smpp_smsc.c
1 file changed, 1 insertion(+), 1 deletion(-)
Approvals:
pespin: Looks good to me, but someone else must approve
fixeria: Looks good to me, approved
Jenkins Builder: Verified
diff --git a/src/libmsc/smpp_smsc.c b/src/libmsc/smpp_smsc.c
index 4581865..6712032 100644
--- a/src/libmsc/smpp_smsc.c
+++ b/src/libmsc/smpp_smsc.c
@@ -888,7 +888,7 @@
esme->acl->esme = NULL;
smpp_esme_put(esme);
- return 0;
+ return -EBADF;
}
/* call-back of write queue once it wishes to write a message to the socket */
--
To view, visit https://gerrit.osmocom.org/c/osmo-msc/+/28125
To unsubscribe, or for help writing mail filters, visit
https://gerrit.osmocom.org/settings
Gerrit-Project: osmo-msc
Gerrit-Branch: master
Gerrit-Change-Id: I441d3b05c2f2556c530783a7f66c73adf6d845a1
Gerrit-Change-Number: 28125
Gerrit-PatchSet: 1
Gerrit-Owner: laforge <[email protected]>
Gerrit-Reviewer: Jenkins Builder
Gerrit-Reviewer: fixeria <[email protected]>
Gerrit-Reviewer: laforge <[email protected]>
Gerrit-Reviewer: pespin <[email protected]>
Gerrit-MessageType: merged
