diff options
| author | Neels Janosch Hofmeyr <nhofmeyr@sysmocom.de> | 2023-02-09 00:06:41 +0100 |
|---|---|---|
| committer | neels <nhofmeyr@sysmocom.de> | 2023-02-10 02:23:52 +0000 |
| commit | c518e3fa0678d1d233645b3913032e56c67481b1 (patch) | |
| tree | 3137043f438d737fff76b25dedbb88a574e6f8e5 | |
| parent | 6df7905736f354abbef05894a59e067d6568bf0c (diff) | |
clarify API doc for osmo_pfcp_endpoint_tx()
I recently discovered some use-after-free in osmo-upf by wrong API usage
of osmo_pfcp_endpoint_tx(). Highlight this pitfall in API doc.
Change-Id: I637e7bb5d1296b5ad8db8ab0b8151fdbb9e7be03
| -rw-r--r-- | src/libosmo-pfcp/pfcp_endpoint.c | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/src/libosmo-pfcp/pfcp_endpoint.c b/src/libosmo-pfcp/pfcp_endpoint.c index 83a689f..7e08d8e 100644 --- a/src/libosmo-pfcp/pfcp_endpoint.c +++ b/src/libosmo-pfcp/pfcp_endpoint.c @@ -326,7 +326,12 @@ static int osmo_pfcp_endpoint_retrans_queue_add(struct osmo_pfcp_endpoint *endpo * Store the message in the local message queue for possible retransmissions. * On success, return zero, and pass ownership of m to ep. ep deallocates m when all retransmissions are done / a reply * has been received. - * On error, return nonzero, and immediately deallocate m. */ + * On error, return nonzero, and immediately deallocate m. + * + * WARNING: Do not access the osmo_pfcp_msg m after calling this function! In most cases, m will still remain allocated, + * and accessing it will work, but especially when an error occurs, m will be deallocated immediately. Hence, you will + * see no problem during normal successful operation, but your program will crash with use-after-free on any error! + */ int osmo_pfcp_endpoint_tx(struct osmo_pfcp_endpoint *ep, struct osmo_pfcp_msg *m) { struct osmo_pfcp_ie_node_id *node_id; |