summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorStefan Sperling <ssperling@sysmocom.de>2018-06-06 17:23:53 +0200
committerStefan Sperling <ssperling@sysmocom.de>2018-06-06 17:25:52 +0200
commit7eb45887b32d9b16c1ea45ab995a6d0398887056 (patch)
tree77c052dc463d53ca16c0ab7b186e308d65af672c
parentee770e5b5d9b91266177b0689f671e13d4eb087d (diff)
fix use after free in osmo_sccp_simple_server_add_clnt()
The variable as_name was freed before being passed to the osmo_ss7_route_create() function. Free it later to avoid a use-after-free crash with address sanitizer. Found by running 'examples/m3ua_example aaa' with address sanitizer enabled. Change-Id: I9d724bc1d2aa8d6f8b6a67bdeafdb5f0f9136413 Related: OS#2666
-rw-r--r--src/sccp_user.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/src/sccp_user.c b/src/sccp_user.c
index a6161c0..99ed96e 100644
--- a/src/sccp_user.c
+++ b/src/sccp_user.c
@@ -611,7 +611,6 @@ osmo_sccp_simple_server_add_clnt(struct osmo_sccp_instance *inst,
as = osmo_ss7_as_find_or_create(ss7, as_name, prot);
if (!as)
goto out_strings;
- talloc_free(as_name);
/* route only selected PC to the client */
rt = osmo_ss7_route_create(ss7->rtable_system, pc, 0xffff, as_name);
@@ -624,6 +623,7 @@ osmo_sccp_simple_server_add_clnt(struct osmo_sccp_instance *inst,
asp->cfg.is_server = true;
osmo_ss7_as_add_asp(as, asp_name);
talloc_free(asp_name);
+ talloc_free(as_name);
osmo_ss7_asp_restart(asp);
return ss7->sccp;