From ef6205ba00f3197803c05265d9abd1c64c24507d Mon Sep 17 00:00:00 2001 From: Philipp Maier Date: Fri, 2 Oct 2020 17:35:25 +0200 Subject: gprs_sndcp: fix use after free When compression is turned on, an extra buffer "expnd" is allocated in the context of msg. This means that when msg is freed, expnd is freed as well and there is no need for freein it explcicitly, which, when it is done after freeng msg, causes talloc to abort. Change-Id: I8959b75e241ffabf9fa34c4cf014721584372b26 --- src/sgsn/gprs_sndcp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/sgsn/gprs_sndcp.c b/src/sgsn/gprs_sndcp.c index 7ce69600d..19d87121e 100644 --- a/src/sgsn/gprs_sndcp.c +++ b/src/sgsn/gprs_sndcp.c @@ -370,8 +370,8 @@ static int defrag_segments(struct gprs_sndcp_entity *sne) * downwards in the call above */ msgb_free(msg); - if (any_pcomp_or_dcomp_active(sgsn)) - talloc_free(expnd); + /* Note: We do not have to free expnd explicitly, because it is created + * within the talloc context of msg, which we just freed. */ return rc; } -- cgit v1.2.3