Harald Welte has submitted this change and it was merged. Change subject: sms_queue: fix use-after-free on 'pending' ......................................................................
sms_queue: fix use-after-free on 'pending' This bug is super obvious: We cannot first call sms_pending_free(pending) and then in the next line still dereference the pending->sms_id member. This bug was introduced in January with Change-Id: I3749855fe25d9d4e37ec96b0c2bffbc692b66a78 and apparently nobody has tested any MT-SMS with asan enabled since? Change-Id: Ibf17f270cdeb8153036eda3de274dd163bbff7e6 Closes: OS#3152 --- M src/libmsc/sms_queue.c 1 file changed, 1 insertion(+), 1 deletion(-) Approvals: Harald Welte: Looks good to me, approved; Verified diff --git a/src/libmsc/sms_queue.c b/src/libmsc/sms_queue.c index 7d59787..ed11123 100644 --- a/src/libmsc/sms_queue.c +++ b/src/libmsc/sms_queue.c @@ -480,8 +480,8 @@ /* Remember the subscriber and clear the pending entry */ network->sms_queue->pending -= 1; vsub = vlr_subscr_get(pending->vsub); - sms_pending_free(pending); db_sms_delete_sent_message_by_id(pending->sms_id); + sms_pending_free(pending); /* Attempt to send another SMS to this subscriber */ sms_send_next(vsub); vlr_subscr_put(vsub); -- To view, visit https://gerrit.osmocom.org/7796 To unsubscribe, visit https://gerrit.osmocom.org/settings Gerrit-MessageType: merged Gerrit-Change-Id: Ibf17f270cdeb8153036eda3de274dd163bbff7e6 Gerrit-PatchSet: 2 Gerrit-Project: osmo-msc Gerrit-Branch: master Gerrit-Owner: Harald Welte <lafo...@gnumonks.org> Gerrit-Reviewer: Harald Welte <lafo...@gnumonks.org> Gerrit-Reviewer: Jenkins Builder Gerrit-Reviewer: Stefan Sperling <ssperl...@sysmocom.de>