cellular-infrastructure
/
osmo-mgw
mirror of https://gerrit.osmocom.org/osmo-mgw
10
0
Fork 0
Code Issues Releases Wiki Activity

libosmo-mgcp-client: fix use-after-free in mgcp_client_tx() 

This function calls mgcp_client_pending_add(), that in its turn
allocates a 'mgcp_response_pending' and appends it to the queue.

In case of an error, it calls mgcp_client_handle_response() that
would free the 'mgcp_response_pending', but this structure would
still remain in the linked list (the queue).

Change-Id: Id94bb93a6b0ea7b7241cf7868112e9bec3e60f0b
This commit is contained in:
Vadim Yanitskiy 2020-06-17 20:50:17 +07:00 committed by laforge
parent 98c09b3f30
commit 3f8139c55f
1 changed files with 2 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/libosmo-mgcp-client/mgcp_client.c
View File

@ -959,6 +959,8 @@ int mgcp_client_tx(struct mgcp_client *mgcp, struct msgb *msg,
return 0;
mgcp_tx_error:
/* Dequeue pending response, it's going to be free()d */
llist_del(&pending->entry);
/* Pass NULL to response cb to indicate an error */
mgcp_client_handle_response(mgcp, pending, NULL);
return -1;