From f47df64a3b5f7389c8a184ee05b8dc0bcc9c0700 Mon Sep 17 00:00:00 2001
From: Harald Welte <laforge@gnumonks.org>
Date: Mon, 9 Aug 2010 21:15:40 +0800
Subject: [GPRS NS] Fix memory leak in gprs_ns_sendmsg() error path

When gprs_ns_sendmsg() succeeds in sending the message, we free()d the
msgb after transmitting it on the socket.  However, if the NS-VC is
blocked or some other error condition exists, we returned an error
code but didn't free the msgb.

This resulted in an error leak which is now being addressed.
---
 openbsc/src/gprs/gprs_ns.c | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'openbsc/src')

diff --git a/openbsc/src/gprs/gprs_ns.c b/openbsc/src/gprs/gprs_ns.c
index 3db1d67f..6009a7d9 100644
--- a/openbsc/src/gprs/gprs_ns.c
+++ b/openbsc/src/gprs/gprs_ns.c
@@ -505,6 +505,7 @@ int gprs_ns_sendmsg(struct gprs_ns_inst *nsi, struct msgb *msg)
 	if (!nsvc) {
 		LOGP(DNS, LOGL_ERROR, "Unable to resolve NSEI %u "
 			"to NS-VC!\n", msgb_nsei(msg));
+		msgb_free(msg);
 		return -EINVAL;
 	}
 	log_set_context(BSC_CTX_NSVC, nsvc);
@@ -512,11 +513,13 @@ int gprs_ns_sendmsg(struct gprs_ns_inst *nsi, struct msgb *msg)
 	if (!(nsvc->state & NSE_S_ALIVE)) {
 		LOGP(DNS, LOGL_ERROR, "NSEI=%u is not alive, cannot send\n",
 			nsvc->nsei);
+		msgb_free(msg);
 		return -EBUSY;
 	}
 	if (nsvc->state & NSE_S_BLOCKED) {
 		LOGP(DNS, LOGL_ERROR, "NSEI=%u is blocked, cannot send\n",
 			nsvc->nsei);
+		msgb_free(msg);
 		return -EBUSY;
 	}
 
@@ -524,6 +527,7 @@ int gprs_ns_sendmsg(struct gprs_ns_inst *nsi, struct msgb *msg)
 	nsh = (struct gprs_ns_hdr *) msg->l2h;
 	if (!nsh) {
 		LOGP(DNS, LOGL_ERROR, "Not enough headroom for NS header\n");
+		msgb_free(msg);
 		return -EIO;
 	}
 
-- 
cgit v1.2.3