diff options
authorPhilipp Maier <pmaier@sysmocom.de>2020-10-02 17:35:25 +0200
committerPhilipp Maier <pmaier@sysmocom.de>2020-10-02 17:38:12 +0200
commitef6205ba00f3197803c05265d9abd1c64c24507d (patch)
parent86336af2a3240b7414b2993d4ee58b0f4e671f9f (diff)
gprs_sndcp: fix use after free
When compression is turned on, an extra buffer "expnd" is allocated in the context of msg. This means that when msg is freed, expnd is freed as well and there is no need for freein it explcicitly, which, when it is done after freeng msg, causes talloc to abort. Change-Id: I8959b75e241ffabf9fa34c4cf014721584372b26
1 files changed, 2 insertions, 2 deletions
diff --git a/src/sgsn/gprs_sndcp.c b/src/sgsn/gprs_sndcp.c
index 7ce69600..19d87121 100644
--- a/src/sgsn/gprs_sndcp.c
+++ b/src/sgsn/gprs_sndcp.c
@@ -370,8 +370,8 @@ static int defrag_segments(struct gprs_sndcp_entity *sne)
* downwards in the call above */
- if (any_pcomp_or_dcomp_active(sgsn))
- talloc_free(expnd);
+ /* Note: We do not have to free expnd explicitly, because it is created
+ * within the talloc context of msg, which we just freed. */
return rc;