Actions
Bug #55
closedGPRS/SGSN crash due inconsistent msgb* handling across layers
Status:
Closed
Priority:
Urgent
Assignee:
-
Category:
-
Target version:
-
Start date:
Due date:
% Done:
0%
Spec Reference:
Description
1.) gprs_ns_sendmsg frees the message on error
2.) GB data_ind calls into sndcp_send_ud_frag...
rc = gprs_llc_tx_ui(fmsg, lle->sapi, 0, fs->mmcontext);
if (rc < 0) {
/* abort in case of error, do not advance frag_nr / next_byte */
msgb_free(fmsg);
}
if this reaches down to gprs_ns_sendmsg it will delete the msgb and we will have a double free, it not we will leak memory... we need to establish a clear ownership and responsibilities..
Actions