From 7023aa0af972441261ccb7d8e81c412279e7eb0e Mon Sep 17 00:00:00 2001 From: Harald Welte Date: Sun, 19 May 2019 12:17:06 +0200 Subject: lapdm_rslms_recvmsg: Fix memory leak in error path The caller of lapdm_rslms_recvmsg() (e.g. osmo-bts/src/common/rsl.c) assumes the message ownership is transferred. However, in one of the two error paths, msgb_free() was not called and hence we had a memory leak. Also clarify the msgb ownership transfer in a comment. Related: OS#3750 Change-Id: Id60cb45e50bfc89224d97df6c68fcd2949751895 --- src/gsm/lapdm.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/gsm/lapdm.c b/src/gsm/lapdm.c index ba9b3dfb..d76175bf 100644 --- a/src/gsm/lapdm.c +++ b/src/gsm/lapdm.c @@ -1269,7 +1269,8 @@ static int rslms_rx_com_chan(struct msgb *msg, struct lapdm_channel *lc) return rc; } -/*! Receive a RSLms \ref msgb from Layer 3 */ +/*! Receive a RSLms \ref msgb from Layer 3. 'msg' ownership is transferred, + * i.e. caller must not free it */ int lapdm_rslms_recvmsg(struct msgb *msg, struct lapdm_channel *lc) { struct abis_rsl_common_hdr *rslh = msgb_l2(msg); @@ -1277,6 +1278,7 @@ int lapdm_rslms_recvmsg(struct msgb *msg, struct lapdm_channel *lc) if (msgb_l2len(msg) < sizeof(*rslh)) { LOGP(DLLAPD, LOGL_ERROR, "Message too short RSL hdr!\n"); + msgb_free(msg); return -EINVAL; } -- cgit v1.2.3