cellular-infrastructure
/
osmo-bts
mirror of https://gerrit.osmocom.org/osmo-bts
9
0
Fork 0
Code Issues Releases Wiki Activity

cbch: Fix dangling cur_msg leading to double-free in bts_cbch_reset() 

If a new default message is installed via RSL, and the old default
message is currently being transmitted, we must set cur_msg to NULL.

The old default message must be talloc_free()d unconditionally whenever
a new default message is being set.

We can do that by using the TALLOC_FREE macro.

Change-Id: Id32c2074b61cd1f09957b9d1558ffb3a7691a8e0
Related: OS#5325
This commit is contained in:
Harald Welte 2021-11-24 14:47:23 +01:00
parent 79f21c4ed1
commit cf12cee46c
1 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
src/common/cbch.c
View File

@ -233,10 +233,10 @@ int bts_process_smscb_cmd(struct gsm_bts *bts, struct rsl_ie_cb_cmd_type cmd_typ
rate_ctr_inc2(bts_ss->ctrs, CBCH_CTR_RCVD_QUEUED);
break;
case RSL_CB_CMD_TYPE_DEFAULT:
/* old default msg will be free'd in get_smscb_block() if it is currently in transit
* and we set a new default_msg here */
/* clear the cur_msg pointer if it is the old default message */
if (bts_ss->cur_msg && bts_ss->cur_msg == bts_ss->default_msg)
talloc_free(bts_ss->cur_msg);
bts_ss->cur_msg = NULL;
talloc_free(bts_ss->default_msg);
if (cmd_type.def_bcast == RSL_CB_CMD_DEFBCAST_NORMAL)
/* def_bcast == 0: normal message */
bts_ss->default_msg = scm;