rspro_client_fsm/remsim_client: Fix double-free

respro_dec_msg() takes ownership of the input msgb in both
successful and unsuccessful cases, so we must not call talloc_free
on the resulting msgb.

Change-Id: Id54d1b73395da1329a998d213c190da49eb90a93
This commit is contained in:
Harald Welte 2019-07-23 18:14:18 +02:00
parent 2f238cfac9
commit 9392e08011
3 changed files with 5 additions and 2 deletions

View File

@ -90,6 +90,7 @@ int bankd_read_cb(struct ipa_client_conn *conn, struct msgb *msg)
default:
break;
}
msgb_free(msg);
break;
case IPAC_PROTO_OSMO:
if (!he || msgb_l2len(msg) < sizeof(*he))

View File

@ -130,6 +130,7 @@ static int srvc_read_cb(struct ipa_client_conn *conn, struct msgb *msg)
break;
default:
break;
msgb_free(msg);
}
break;
case IPAC_PROTO_OSMO:
@ -139,6 +140,8 @@ static int srvc_read_cb(struct ipa_client_conn *conn, struct msgb *msg)
switch (he->proto) {
case IPAC_PROTO_EXT_RSPRO:
LOGPFSM(srvc->fi, "Received RSPRO %s\n", msgb_hexdump(msg));
/* respro_dec_msg() takes ownership of the input message buffer in successful
* and unsuccessful cases */
pdu = rspro_dec_msg(msg);
if (!pdu)
goto invalid;
@ -152,7 +155,6 @@ static int srvc_read_cb(struct ipa_client_conn *conn, struct msgb *msg)
default:
goto invalid;
}
msgb_free(msg);
return rc;
invalid:

View File

@ -578,6 +578,7 @@ static int bankd_handle_setAtrReq(struct bankd_client *bc, RsproPDU_t *pdu)
static int bankd_handle_msg(struct bankd_client *bc, struct msgb *msg)
{
/* rspro_dec_msg takes ownership of msgb and talloc_free()s it in successful and unsuccessful case */
RsproPDU_t *pdu = rspro_dec_msg(msg);
if (!pdu) {
LOGPFSML(bc->bankd_fi, LOGL_ERROR, "Error decoding PDU\n");
@ -627,7 +628,6 @@ int bankd_read_cb(struct ipa_client_conn *conn, struct msgb *msg)
LOGPFSML(bc->bankd_fi, LOGL_DEBUG, "Received RSPRO %s\n", msgb_hexdump(msg));
rc = bankd_handle_msg(bc, msg);
msgb_free(msg);
return rc;
invalid: