fixeria has submitted this change. (
https://gerrit.osmocom.org/c/libosmocore/+/40222?usp=email )
Change subject: lapdm: Take talloc msgb ownership when enqueueing it
......................................................................
lapdm: Take talloc msgb ownership when enqueueing it
Otherwise the msg talloc reference is kept parented at some unknown
pointer in some unknown upper layer, which may cause memory corruption
or use-after-free.
Change-Id: Iba7b11bd9541c883588f34df67fdd865d72710d7
Related: OS#6728
(cherry picked from commit 9affae763e296d99eaefa0df59c4020146881bb8)
---
M src/gsm/lapdm.c
1 file changed, 4 insertions(+), 0 deletions(-)
Approvals:
pespin: Looks good to me, approved
Jenkins Builder: Verified
diff --git a/src/gsm/lapdm.c b/src/gsm/lapdm.c
index 1fc986d..3a0e29b 100644
--- a/src/gsm/lapdm.c
+++ b/src/gsm/lapdm.c
@@ -376,6 +376,8 @@
*msgb_push(msg, 1) = pad;
*msgb_push(msg, 1) = link_id;
*msgb_push(msg, 1) = chan_nr;
+ /* Take ownership of msg, since we are keeping it around in
this layer: */
+ talloc_steal(tall_lapd_ctx, msg);
msgb_enqueue(&dl->dl.tx_queue, msg);
return 0;
}
@@ -403,6 +405,8 @@
*msgb_push(msg, 1) = pad;
*msgb_push(msg, 1) = link_id;
*msgb_push(msg, 1) = chan_nr;
+ /* Take ownership of msg, since we are keeping it around in
this layer: */
+ talloc_steal(tall_lapd_ctx, msg);
msgb_enqueue(&dl->tx_ui_queue, msg);
return 0;
}
--
To view, visit https://gerrit.osmocom.org/c/libosmocore/+/40222?usp=email
To unsubscribe, or for help writing mail filters, visit
https://gerrit.osmocom.org/settings?usp=email
Gerrit-MessageType: merged
Gerrit-Project: libosmocore
Gerrit-Branch: rel-1.11.1
Gerrit-Change-Id: Iba7b11bd9541c883588f34df67fdd865d72710d7
Gerrit-Change-Number: 40222
Gerrit-PatchSet: 1
Gerrit-Owner: fixeria <vyanits...@sysmocom.de>
Gerrit-Reviewer: Jenkins Builder
Gerrit-Reviewer: fixeria <vyanits...@sysmocom.de>
Gerrit-Reviewer: pespin <pes...@sysmocom.de>
