Review at https://gerrit.osmocom.org/7765
bsc_nat: ctrl: Fix crash on receveing bsc reply
Since libosmocore 7c0031fc8063771e604976233fb7b46d2b85c077, the cmd
param passed to handlers in ctrl_handle_msg is always freed afterwards,
thus it is owned by the same function. Avoid keeping it alive and
accessing it later when it has already been freed.
Related: OS#3157
Change-Id: I764917f641b170597e405f1865b0f7b94bae1597
---
M src/osmo-bsc_nat/bsc_nat_ctrl.c
1 file changed, 8 insertions(+), 2 deletions(-)
git pull ssh://gerrit.osmocom.org:29418/osmo-bsc refs/changes/65/7765/1
diff --git a/src/osmo-bsc_nat/bsc_nat_ctrl.c b/src/osmo-bsc_nat/bsc_nat_ctrl.c
index 7df3ca3..75c0dfa 100644
--- a/src/osmo-bsc_nat/bsc_nat_ctrl.c
+++ b/src/osmo-bsc_nat/bsc_nat_ctrl.c
@@ -80,7 +80,6 @@
{
llist_del(&pending->list_entry);
osmo_timer_del(&pending->timeout);
- talloc_free(pending->cmd);
talloc_free(pending);
}
@@ -276,8 +275,15 @@
cmd->reply = "Sending failed";
goto err;
}
+
+ /* caller owns cmd param and will destroy it after we return */
+ pending->cmd = ctrl_cmd_cpy(pending, cmd);
+ if (!pending->cmd) {
+ cmd->reply = "Could not answer command";
+ goto err;
+ }
cmd->ccon->closed_cb = ctrl_conn_closed_cb;
- pending->cmd = cmd;
+ pending->cmd->ccon = cmd->ccon;
/* Setup the timeout */
osmo_timer_setup(&pending->timeout, pending_timeout_cb,
--
To view, visit https://gerrit.osmocom.org/7765
To unsubscribe, visit https://gerrit.osmocom.org/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I764917f641b170597e405f1865b0f7b94bae1597
Gerrit-PatchSet: 1
Gerrit-Project: osmo-bsc
Gerrit-Branch: master
Gerrit-Owner: Pau Espin Pedrol <pes...@sysmocom.de>
