Ticket #55 (new defect)
Opened 15 months ago
GPRS/SGSN crash due inconsistent msgb* handling across layers
| Reported by: | zecke2 | Owned by: | |
|---|---|---|---|
| Priority: | major | Milestone: | milestone: |
| Component: | osmo-sgsn | Version: | |
| Keywords: | Cc: |
Description
1.) gprs_ns_sendmsg frees the message on error 2.) GB data_ind calls into sndcp_send_ud_frag...
rc = gprs_llc_tx_ui(fmsg, lle->sapi, 0, fs->mmcontext); if (rc < 0) {
/* abort in case of error, do not advance frag_nr / next_byte */ msgb_free(fmsg);
}
if this reaches down to gprs_ns_sendmsg it will delete the msgb and we will have a double free, it not we will leak memory... we need to establish a clear ownership and responsibilities..
Note: See
TracTickets for help on using
tickets.
