osmocom
/
libosmocore
mirror of https://gerrit.osmocom.org/libosmocore
11
0
Fork 0
Code Issues Releases Wiki Activity

gb: fix uninitialized ptr access in bssgp_encode_rim_pdu() 

Jumping to label 'error' before allocating memory and storing an
address to pointer 'rim_cont_buf' would result in passing garbage
to talloc_free().  Found with clang 14.

Change-Id: I9420615b64d3755fd9131e8561c516c39f83a15b
This commit is contained in:
Vadim Yanitskiy 2022-07-04 20:47:16 +07:00
parent 605c9e63bb
commit 0578c288ec
1 changed files with 4 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
src/gb/gprs_bssgp_rim.c
View File

@ -1064,7 +1064,6 @@ struct msgb *bssgp_encode_rim_pdu(const struct bssgp_ran_information_pdu *pdu)
struct msgb *msg = bssgp_msgb_alloc();
struct bssgp_normal_hdr *bgph;
uint8_t rim_ri_buf[BSSGP_RIM_ROUTING_INFO_MAXLEN];
uint8_t *rim_cont_buf;
int rc;
if (!msg)
@ -1105,7 +1104,7 @@ struct msgb *bssgp_encode_rim_pdu(const struct bssgp_ran_information_pdu *pdu)
/* Put RIM container */
if (pdu->decoded_present) {
rim_cont_buf = talloc_zero_size(msg, msg->data_len);
uint8_t *rim_cont_buf = talloc_zero_size(msg, msg->data_len);
if (!rim_cont_buf)
goto error;
@ -1130,8 +1129,10 @@ struct msgb *bssgp_encode_rim_pdu(const struct bssgp_ran_information_pdu *pdu)
/* The API user must set the iei properly! */
OSMO_ASSERT(false);
}
if (rc < 0)
if (rc < 0) {
talloc_free(rim_cont_buf);
goto error;
}
msgb_tvlv_put(msg, pdu->rim_cont_iei, rc, rim_cont_buf);
talloc_free(rim_cont_buf);
@ -1143,7 +1144,6 @@ struct msgb *bssgp_encode_rim_pdu(const struct bssgp_ran_information_pdu *pdu)
return msg;
error:
talloc_free(rim_cont_buf);
msgb_free(msg);
return 0;
}