From 7eb45887b32d9b16c1ea45ab995a6d0398887056 Mon Sep 17 00:00:00 2001 From: Stefan Sperling Date: Wed, 6 Jun 2018 17:23:53 +0200 Subject: fix use after free in osmo_sccp_simple_server_add_clnt() The variable as_name was freed before being passed to the osmo_ss7_route_create() function. Free it later to avoid a use-after-free crash with address sanitizer. Found by running 'examples/m3ua_example aaa' with address sanitizer enabled. Change-Id: I9d724bc1d2aa8d6f8b6a67bdeafdb5f0f9136413 Related: OS#2666 --- src/sccp_user.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/sccp_user.c b/src/sccp_user.c index a6161c0..99ed96e 100644 --- a/src/sccp_user.c +++ b/src/sccp_user.c @@ -611,7 +611,6 @@ osmo_sccp_simple_server_add_clnt(struct osmo_sccp_instance *inst, as = osmo_ss7_as_find_or_create(ss7, as_name, prot); if (!as) goto out_strings; - talloc_free(as_name); /* route only selected PC to the client */ rt = osmo_ss7_route_create(ss7->rtable_system, pc, 0xffff, as_name); @@ -624,6 +623,7 @@ osmo_sccp_simple_server_add_clnt(struct osmo_sccp_instance *inst, asp->cfg.is_server = true; osmo_ss7_as_add_asp(as, asp_name); talloc_free(asp_name); + talloc_free(as_name); osmo_ss7_asp_restart(asp); return ss7->sccp; -- cgit v1.2.3