cellular-infrastructure
/
osmo-msc
mirror of https://gerrit.osmocom.org/osmo-msc
9
0
Fork 0
Code Issues Releases Wiki Activity

sms_queue: fix use-after-free on 'pending' 

This bug is super obvious: We cannot first call
sms_pending_free(pending) and then in the next line still dereference
the pending->sms_id member.

This bug was introduced in January with Change-Id: I3749855fe25d9d4e37ec96b0c2bffbc692b66a78
and apparently nobody has tested any MT-SMS with asan enabled since?

Change-Id: Ibf17f270cdeb8153036eda3de274dd163bbff7e6
Closes: OS#3152
This commit is contained in:
Harald Welte 2018-04-14 20:53:36 +02:00
parent ce96928e12
commit 37a3ae8585
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/libmsc/sms_queue.c
View File

@ -480,8 +480,8 @@ static int sms_sms_cb(unsigned int subsys, unsigned int signal,
/* Remember the subscriber and clear the pending entry */
network->sms_queue->pending -= 1;
vsub = vlr_subscr_get(pending->vsub);
sms_pending_free(pending);
db_sms_delete_sent_message_by_id(pending->sms_id);
sms_pending_free(pending);
/* Attempt to send another SMS to this subscriber */
sms_send_next(vsub);
vlr_subscr_put(vsub);