Harald Welte has submitted this change and it was merged.
Change subject: bsc_nat: ctrl: Fix crash on receveing bsc reply
......................................................................
bsc_nat: ctrl: Fix crash on receveing bsc reply
Since libosmocore 7c0031fc8063771e604976233fb7b46d2b85c077, the cmd
param passed to handlers in ctrl_handle_msg is always freed afterwards,
thus it is owned by the same function. Avoid keeping it alive and
accessing it later when it has already been freed.
Related: OS#3157
Change-Id: Ib1e1fb79746d4a4f3e30254fdb7a7e851c2cd0e4
---
M openbsc/src/osmo-bsc_nat/bsc_nat_ctrl.c
1 file changed, 8 insertions(+), 2 deletions(-)
Approvals:
Harald Welte: Looks good to me, approved
Jenkins Builder: Verified
diff --git a/openbsc/src/osmo-bsc_nat/bsc_nat_ctrl.c
b/openbsc/src/osmo-bsc_nat/bsc_nat_ctrl.c
index 22c3608..61ac887 100644
--- a/openbsc/src/osmo-bsc_nat/bsc_nat_ctrl.c
+++ b/openbsc/src/osmo-bsc_nat/bsc_nat_ctrl.c
@@ -79,7 +79,6 @@
{
llist_del(&pending->list_entry);
osmo_timer_del(&pending->timeout);
- talloc_free(pending->cmd);
talloc_free(pending);
}
@@ -275,8 +274,15 @@
cmd->reply = "Sending failed";
goto err;
}
+
+ /* caller owns cmd param and will destroy it after we return */
+ pending->cmd = ctrl_cmd_cpy(pending, cmd);
+ if (!pending->cmd) {
+ cmd->reply = "Could not answer command";
+ goto err;
+ }
cmd->ccon->closed_cb = ctrl_conn_closed_cb;
- pending->cmd = cmd;
+ pending->cmd->ccon = cmd->ccon;
/* Setup the timeout */
osmo_timer_setup(&pending->timeout, pending_timeout_cb,
--
To view, visit https://gerrit.osmocom.org/7764
To unsubscribe, visit https://gerrit.osmocom.org/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: Ib1e1fb79746d4a4f3e30254fdb7a7e851c2cd0e4
Gerrit-PatchSet: 1
Gerrit-Project: openbsc
Gerrit-Branch: master
Gerrit-Owner: Pau Espin Pedrol <pes...@sysmocom.de>
Gerrit-Reviewer: Harald Welte <lafo...@gnumonks.org>
Gerrit-Reviewer: Jenkins Builder
Gerrit-Reviewer: Neels Hofmeyr <nhofm...@sysmocom.de>
Gerrit-Reviewer: daniel <dwillm...@sysmocom.de>
