Change in libosmo-sccp[master]: fix use after free in osmo_sccp_simple_server_add_clnt()

Wed, 06 Jun 2018 08:26:43 -0700 

Stefan Sperling has uploaded this change for review. ( 
https://gerrit.osmocom.org/9477


Change subject: fix use after free in osmo_sccp_simple_server_add_clnt()
......................................................................

fix use after free in osmo_sccp_simple_server_add_clnt()

The variable as_name was freed before being passed to the
osmo_ss7_route_create() function. Free it later to avoid
a use-after-free crash with address sanitizer.

Found by running 'examples/m3ua_example aaa' with address
sanitizer enabled.

Change-Id: I9d724bc1d2aa8d6f8b6a67bdeafdb5f0f9136413
Related: OS#2666
---
M src/sccp_user.c
1 file changed, 1 insertion(+), 1 deletion(-)



  git pull ssh://gerrit.osmocom.org:29418/libosmo-sccp refs/changes/77/9477/1

diff --git a/src/sccp_user.c b/src/sccp_user.c
index a6161c0..99ed96e 100644
--- a/src/sccp_user.c
+++ b/src/sccp_user.c
@@ -611,7 +611,6 @@
        as = osmo_ss7_as_find_or_create(ss7, as_name, prot);
        if (!as)
                goto out_strings;
-       talloc_free(as_name);

        /* route only selected PC to the client */
        rt = osmo_ss7_route_create(ss7->rtable_system, pc, 0xffff, as_name);
@@ -624,6 +623,7 @@
        asp->cfg.is_server = true;
        osmo_ss7_as_add_asp(as, asp_name);
        talloc_free(asp_name);
+       talloc_free(as_name);
        osmo_ss7_asp_restart(asp);

        return ss7->sccp;

--
To view, visit https://gerrit.osmocom.org/9477
To unsubscribe, or for help writing mail filters, visit 
https://gerrit.osmocom.org/settings

Gerrit-Project: libosmo-sccp
Gerrit-Branch: master
Gerrit-MessageType: newchange
Gerrit-Change-Id: I9d724bc1d2aa8d6f8b6a67bdeafdb5f0f9136413
Gerrit-Change-Number: 9477
Gerrit-PatchSet: 1
Gerrit-Owner: Stefan Sperling <[email protected]>

Reply via email to