aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPhilipp Maier <pmaier@sysmocom.de>2020-10-02 17:35:25 +0200
committerPhilipp Maier <pmaier@sysmocom.de>2020-10-02 17:38:12 +0200
commitef6205ba00f3197803c05265d9abd1c64c24507d (patch)
tree2736c4d6f1ec4053e65ea269e08c9e2b598a046f
parent86336af2a3240b7414b2993d4ee58b0f4e671f9f (diff)
gprs_sndcp: fix use after free
When compression is turned on, an extra buffer "expnd" is allocated in the context of msg. This means that when msg is freed, expnd is freed as well and there is no need for freein it explcicitly, which, when it is done after freeng msg, causes talloc to abort. Change-Id: I8959b75e241ffabf9fa34c4cf014721584372b26
-rw-r--r--src/sgsn/gprs_sndcp.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/src/sgsn/gprs_sndcp.c b/src/sgsn/gprs_sndcp.c
index 7ce69600..19d87121 100644
--- a/src/sgsn/gprs_sndcp.c
+++ b/src/sgsn/gprs_sndcp.c
@@ -370,8 +370,8 @@ static int defrag_segments(struct gprs_sndcp_entity *sne)
* downwards in the call above */
msgb_free(msg);
- if (any_pcomp_or_dcomp_active(sgsn))
- talloc_free(expnd);
+ /* Note: We do not have to free expnd explicitly, because it is created
+ * within the talloc context of msg, which we just freed. */
return rc;
}