Review at  https://gerrit.osmocom.org/7796

sms_queue: fix use-after-free on 'pending'

This bug is super obvious: We cannot first call
sms_pending_free(pending) and then in the next line still dereference
the pending->sms_id member.

Change-Id: Ibf17f270cdeb8153036eda3de274dd163bbff7e6
Closes: OS#3152
---
M src/libmsc/sms_queue.c
1 file changed, 1 insertion(+), 1 deletion(-)


  git pull ssh://gerrit.osmocom.org:29418/osmo-msc refs/changes/96/7796/1

diff --git a/src/libmsc/sms_queue.c b/src/libmsc/sms_queue.c
index 7d59787..ed11123 100644
--- a/src/libmsc/sms_queue.c
+++ b/src/libmsc/sms_queue.c
@@ -480,8 +480,8 @@
                /* Remember the subscriber and clear the pending entry */
                network->sms_queue->pending -= 1;
                vsub = vlr_subscr_get(pending->vsub);
-               sms_pending_free(pending);
                db_sms_delete_sent_message_by_id(pending->sms_id);
+               sms_pending_free(pending);
                /* Attempt to send another SMS to this subscriber */
                sms_send_next(vsub);
                vlr_subscr_put(vsub);

-- 
To view, visit https://gerrit.osmocom.org/7796
To unsubscribe, visit https://gerrit.osmocom.org/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: Ibf17f270cdeb8153036eda3de274dd163bbff7e6
Gerrit-PatchSet: 1
Gerrit-Project: osmo-msc
Gerrit-Branch: master
Gerrit-Owner: Harald Welte <lafo...@gnumonks.org>

Reply via email to