rspro_client_fsm/remsim_client: Fix double-free
respro_dec_msg() takes ownership of the input msgb in both successful and unsuccessful cases, so we must not call talloc_free on the resulting msgb. Change-Id: Id54d1b73395da1329a998d213c190da49eb90a93
This commit is contained in:
parent
2f238cfac9
commit
9392e08011
|
@ -90,6 +90,7 @@ int bankd_read_cb(struct ipa_client_conn *conn, struct msgb *msg)
|
|||
default:
|
||||
break;
|
||||
}
|
||||
msgb_free(msg);
|
||||
break;
|
||||
case IPAC_PROTO_OSMO:
|
||||
if (!he || msgb_l2len(msg) < sizeof(*he))
|
||||
|
|
|
@ -130,6 +130,7 @@ static int srvc_read_cb(struct ipa_client_conn *conn, struct msgb *msg)
|
|||
break;
|
||||
default:
|
||||
break;
|
||||
msgb_free(msg);
|
||||
}
|
||||
break;
|
||||
case IPAC_PROTO_OSMO:
|
||||
|
@ -139,6 +140,8 @@ static int srvc_read_cb(struct ipa_client_conn *conn, struct msgb *msg)
|
|||
switch (he->proto) {
|
||||
case IPAC_PROTO_EXT_RSPRO:
|
||||
LOGPFSM(srvc->fi, "Received RSPRO %s\n", msgb_hexdump(msg));
|
||||
/* respro_dec_msg() takes ownership of the input message buffer in successful
|
||||
* and unsuccessful cases */
|
||||
pdu = rspro_dec_msg(msg);
|
||||
if (!pdu)
|
||||
goto invalid;
|
||||
|
@ -152,7 +155,6 @@ static int srvc_read_cb(struct ipa_client_conn *conn, struct msgb *msg)
|
|||
default:
|
||||
goto invalid;
|
||||
}
|
||||
msgb_free(msg);
|
||||
return rc;
|
||||
|
||||
invalid:
|
||||
|
|
|
@ -578,6 +578,7 @@ static int bankd_handle_setAtrReq(struct bankd_client *bc, RsproPDU_t *pdu)
|
|||
|
||||
static int bankd_handle_msg(struct bankd_client *bc, struct msgb *msg)
|
||||
{
|
||||
/* rspro_dec_msg takes ownership of msgb and talloc_free()s it in successful and unsuccessful case */
|
||||
RsproPDU_t *pdu = rspro_dec_msg(msg);
|
||||
if (!pdu) {
|
||||
LOGPFSML(bc->bankd_fi, LOGL_ERROR, "Error decoding PDU\n");
|
||||
|
@ -627,7 +628,6 @@ int bankd_read_cb(struct ipa_client_conn *conn, struct msgb *msg)
|
|||
LOGPFSML(bc->bankd_fi, LOGL_DEBUG, "Received RSPRO %s\n", msgb_hexdump(msg));
|
||||
|
||||
rc = bankd_handle_msg(bc, msg);
|
||||
msgb_free(msg);
|
||||
return rc;
|
||||
|
||||
invalid:
|
||||
|
|
Loading…
Reference in New Issue