Bug #55: GPRS/SGSN crash due inconsistent msgb* handling across layers - OsmoSGSN - Open Source Mobile Communications

Actions

Copy link

Bug #55

closed

GPRS/SGSN crash due inconsistent msgb* handling across layers

Added by about 8 years ago. Updated over 6 years ago.

Status:

Closed

Priority:

Urgent

Assignee:

Category:

Target version:

Start date:

Due date:

% Done:

Spec Reference:

Description

1.) gprs_ns_sendmsg frees the message on error
2.) GB data_ind calls into sndcp_send_ud_frag...

rc = gprs_llc_tx_ui(fmsg, lle->sapi, 0, fs->mmcontext);
        if (rc < 0) {
                /* abort in case of error, do not advance frag_nr / next_byte */
                msgb_free(fmsg);
        }

if this reaches down to gprs_ns_sendmsg it will delete the msgb and we will have a double free, it not we will leak memory... we need to establish a clear ownership and responsibilities..

History
Notes
Property changes

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Cellular Network Infrastructure » Core Network (CN) » OsmoSGSN

Custom queries

Bug #55

GPRS/SGSN crash due inconsistent msgb* handling across layers

Updated by laforge almost 8 years ago

Updated by laforge almost 8 years ago

Updated by laforge over 6 years ago

Updated by zecke over 6 years ago

Updated by laforge over 6 years ago