From 9c3baa89fb6b3fc1ef588930f361d013f98a1e39 Mon Sep 17 00:00:00 2001 From: Pau Espin Pedrol Date: Mon, 13 Aug 2018 17:24:41 +0200 Subject: sscp_scrc: Fix memleak of xua_msg when handing it to scrc_rx_mtp_xfer_ind_xua Fixes following error provided by LeakSanitizer: Indirect leak of 1496 byte(s) in 11 object(s) allocated from: #0 0x7f1eb3332d99 in __interceptor_malloc /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cc:86 #1 0x7f1eae617b61 in _talloc_zero (/usr/lib/libtalloc.so.2+0x5b61) #2 0x7f1eb063e365 in xua_msg_alloc /home/pespin/dev/sysmocom/git/libosmo-sccp/src/xua_msg.c:49 #3 0x7f1eb0650ee3 in osmo_sccp_to_xua /home/pespin/dev/sysmocom/git/libosmo-sccp/src/sccp2sua.c:1298 #4 0x7f1eb0668d6a in mtp_user_prim_cb /home/pespin/dev/sysmocom/git/libosmo-sccp/src/sccp_user.c:173 #5 0x7f1eb068ba86 in deliver_to_mtp_user /home/pespin/dev/sysmocom/git/libosmo-sccp/src/osmo_ss7_hmrt.c:94 #6 0x7f1eb068bf00 in hmdt_message_for_distribution /home/pespin/dev/sysmocom/git/libosmo-sccp/src/osmo_ss7_hmrt.c:133 #7 0x7f1eb068d345 in m3ua_hmdc_rx_from_l2 /home/pespin/dev/sysmocom/git/libosmo-sccp/src/osmo_ss7_hmrt.c:275 #8 0x7f1eb063c08f in m3ua_rx_xfer /home/pespin/dev/sysmocom/git/libosmo-sccp/src/m3ua.c:586 #9 0x7f1eb063cea6 in m3ua_rx_msg /home/pespin/dev/sysmocom/git/libosmo-sccp/src/m3ua.c:739 #10 0x7f1eb0687188 in xua_cli_read_cb /home/pespin/dev/sysmocom/git/libosmo-sccp/src/osmo_ss7.c:1590 #11 0x7f1eaff77db4 in osmo_stream_cli_read /home/pespin/dev/sysmocom/git/libosmo-netif/src/stream.c:192 #12 0x7f1eaff79091 in osmo_stream_cli_fd_cb /home/pespin/dev/sysmocom/git/libosmo-netif/src/stream.c:276 #13 0x7f1eaf259795 in osmo_fd_disp_fds /home/pespin/dev/sysmocom/git/libosmocore/src/select.c:217 #14 0x7f1eaf259abb in osmo_select_main /home/pespin/dev/sysmocom/git/libosmocore/src/select.c:257 #15 0x55666c1bebd3 in main /home/pespin/dev/sysmocom/git/osmo-msc/src/osmo-msc/msc_main.c:697 #16 0x7f1ead1c306a in __libc_start_main (/usr/lib/libc.so.6+0x2306a) #17 0x55666c1bc649 in _start (/home/pespin/dev/sysmocom/build/new/out/bin/osmo-msc+0x185649) The code path is the following, starting from mpt_user_prim_cb: mtp_user_prim_cb osmo_sccp_to_xua xua_msg_alloc scrc_rx_mtp_xfer_ind_xua sccp_scoc_rx_from_scrc scrc_node_6 scrc_node_4 scrc_translate_node_9 So the xua_msg is created in mtp_user_prim_cb through osmo_sccp_to_xua and then handed over to scrc_rx_mtp_xfer_ind_xua which transfers the xua_msg and thus should take ownserhip of it, and consecuently freeing it once it's done using it. Change-Id: I43e159c82b64bd85b185f77ee19b6455a96e082f --- src/sccp_scrc.c | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/src/sccp_scrc.c b/src/sccp_scrc.c index cd01774..9005dc7 100644 --- a/src/sccp_scrc.c +++ b/src/sccp_scrc.c @@ -438,13 +438,14 @@ int sccp_scrc_rx_sclc_msg(struct osmo_sccp_instance *inst, } /* Figure C.1/Q.714 Sheet 1 of 12, after we converted the - * MTP-TRANSFER.ind to SUA */ + * MTP-TRANSFER.ind to SUA. Takes ownership of \a xua and frees it once processed. */ int scrc_rx_mtp_xfer_ind_xua(struct osmo_sccp_instance *inst, struct xua_msg *xua) { struct osmo_sccp_addr called; uint32_t proto_class; struct xua_msg_part *hop_ctr_part; + int rc; LOGP(DLSS7, LOGL_DEBUG, "%s: %s\n", __func__, xua_msg_dump(xua, &xua_dialect_sua)); /* TODO: SCCP or nodal congestion? */ @@ -454,6 +455,7 @@ int scrc_rx_mtp_xfer_ind_xua(struct osmo_sccp_instance *inst, /* Node 1 (Sheet 3) */ /* deliver to SCOC */ sccp_scoc_rx_from_scrc(inst, xua); + xua_msg_free(xua); return 0; } /* We only treat connectionless and CR below */ @@ -463,7 +465,9 @@ int scrc_rx_mtp_xfer_ind_xua(struct osmo_sccp_instance *inst, /* Route on GT? */ if (called.ri != OSMO_SCCP_RI_GT) { /* Node 6 (Sheet 3) */ - return scrc_node_6(inst, xua, &called); + rc = scrc_node_6(inst, xua, &called); + xua_msg_free(xua); + return rc; } /* Message with hop-counter? */ hop_ctr_part = xua_msg_find_tag(xua, SUA_IEI_S7_HOP_CTR); @@ -472,7 +476,9 @@ int scrc_rx_mtp_xfer_ind_xua(struct osmo_sccp_instance *inst, if (hop_counter <= 1) { /* Error: hop-counter violation */ /* node 4 */ - return scrc_node_4(inst, xua, SCCP_RETURN_CAUSE_HOP_COUNTER_VIOLATION); + rc = scrc_node_4(inst, xua, SCCP_RETURN_CAUSE_HOP_COUNTER_VIOLATION); + xua_msg_free(xua); + return rc; } /* Decrement hop-counter */ hop_counter--; @@ -492,5 +498,7 @@ int scrc_rx_mtp_xfer_ind_xua(struct osmo_sccp_instance *inst, default: break; } - return scrc_translate_node_9(inst, xua, &called); + rc = scrc_translate_node_9(inst, xua, &called); + xua_msg_free(xua); + return rc; } -- cgit v1.2.3