From fcc5ffb96dc0346ea89d25a3c6d5bd562e351e4f Mon Sep 17 00:00:00 2001
From: Philipp Maier <pmaier@sysmocom.de>
Date: Fri, 11 Sep 2020 14:45:48 +0200
Subject: abis_rsl: fix memleak in rach dos reduction function

The function reduce_rach_dos() only removes the tossed channel requests
from the list, but does not free them.

Change-Id: I0a62fc897c07e118dd637b156b6f2822c44db731
Related: OS#4549
---
 src/osmo-bsc/abis_rsl.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/osmo-bsc/abis_rsl.c b/src/osmo-bsc/abis_rsl.c
index 347be129f..2af01d963 100644
--- a/src/osmo-bsc/abis_rsl.c
+++ b/src/osmo-bsc/abis_rsl.c
@@ -1389,6 +1389,7 @@ static void reduce_rach_dos(struct gsm_bts *bts)
 				"(ra=0x%02x, neci=0x%02x, chreq_reason=0x%02x)\n",
 				rqd->ref.ra, bts->network->neci, rqd->reason);
 			llist_del(&rqd->entry);
+			talloc_free(rqd);
 		} else {
 			rqd_count++;
 		}
@@ -1398,7 +1399,9 @@ static void reduce_rach_dos(struct gsm_bts *bts)
 	 * problem with RACH dos on this BTS. We drop the first entry in the list to clip the growth of the list. */
 	if (rqd_count > 255) {
 		LOG_BTS(bts, DRSL, LOGL_INFO, "CHAN RQD: more than 255 queued RACH requests -- RACH DoS attack?\n");
-		llist_del(&llist_first_entry(&bts->chan_rqd_queue, struct chan_rqd, entry)->entry);
+		rqd = llist_first_entry(&bts->chan_rqd_queue, struct chan_rqd, entry);
+		llist_del(&rqd->entry);
+		talloc_free(rqd);
 	}
 }
 
-- 
cgit v1.2.3