cellular-infrastructure
/
osmo-pcu
mirror of https://gerrit.osmocom.org/osmo-pcu
9
0
Fork 1
Code Issues Releases Wiki Activity

tbf: Make finding use-after-free more easy and set to NULL or return 

Make finding use-after-free more easy by setting things to NULL
or simply return after tbf_free(this) has been called.
This commit is contained in:
Holger Hans Peter Freyther 2014-01-16 10:09:42 +01:00
parent a004799699
commit 3d0cc2f97d
2 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
src/bts.cpp
View File

@ -851,6 +851,7 @@ void gprs_rlcmac_pdch::rcv_resource_request(Packet_Resource_Request_t *request,
"Killing pending DL TBF\n", tlli,
tbf_name(dl_tbf));
tbf_free(dl_tbf);
dl_tbf = NULL;
}
LOGP(DRLCMAC, LOGL_DEBUG, "MS requests UL TBF "
"in packet resource request of single "

4
src/tbf.cpp
View File

@ -568,6 +568,7 @@ void gprs_rlcmac_tbf::handle_timeout()
LOGP(DRLCMAC, LOGL_NOTICE, "%s releasing due to "
"PACCH assignment timeout.\n", tbf_name(this));
tbf_free(this);
return;
} else
LOGP(DRLCMAC, LOGL_ERROR, "Error: %s is not "
"in assign state\n", tbf_name(this));
@ -595,6 +596,7 @@ void gprs_rlcmac_tbf::handle_timeout()
"%s will be freed due to timeout\n", tbf_name(this));
/* free TBF */
tbf_free(this);
return;
break;
default:
LOGP(DRLCMAC, LOGL_ERROR,
@ -1531,6 +1533,7 @@ int gprs_rlcmac_tbf::extract_tlli(const uint8_t *data, const size_t len)
"Killing pending DL TBF\n", tlli(),
tbf_name(dl_tbf));
tbf_free(dl_tbf);
dl_tbf = NULL;
}
/* tbf_by_tlli will not find your TLLI, because it is not
* yet marked valid */
@ -1540,6 +1543,7 @@ int gprs_rlcmac_tbf::extract_tlli(const uint8_t *data, const size_t len)
"Killing pending UL TBF\n", tlli(),
tbf_name(ul_tbf));
tbf_free(ul_tbf);
ul_tbf = NULL;
}
/* mark TLLI valid now */
tlli_mark_valid();