lapdm_rslms_recvmsg: Fix memory leak in error path The caller of lapdm_rslms_recvmsg() (e.g. osmo-bts/src/common/rsl.c) assumes the message ownership is transferred. However, in one of the two error paths, msgb_free() was not called and hence we had a memory leak. Also clarify the msgb ownership transfer in a comment. Related: OS#3750 Change-Id: Id60cb45e50bfc89224d97df6c68fcd2949751895

commit: 7023aa0af972441261ccb7d8e81c412279e7eb0e [log] [tgz]
author: Harald Welte <laforge@gnumonks.org> Sun May 19 12:17:06 2019 +0200
committer: Harald Welte <laforge@gnumonks.org> Sun May 19 12:19:02 2019 +0200
tree: f45d6836778a8e5d6342c81b552b4e6a1dc297ab
parent: 8006f5393e21750558a01c780641831d925382ee [diff] [blame]
diff --git a/src/gsm/lapdm.c b/src/gsm/lapdm.c
index ba9b3df..d76175b 100644
--- a/src/gsm/lapdm.c
+++ b/src/gsm/lapdm.c

@@ -1269,7 +1269,8 @@
 	return rc;
 }
 
-/*! Receive a RSLms \ref msgb from Layer 3 */
+/*! Receive a RSLms \ref msgb from Layer 3. 'msg' ownership is transferred,
+ *  i.e. caller must not free it */
 int lapdm_rslms_recvmsg(struct msgb *msg, struct lapdm_channel *lc)
 {
 	struct abis_rsl_common_hdr *rslh = msgb_l2(msg);
@@ -1277,6 +1278,7 @@
 
 	if (msgb_l2len(msg) < sizeof(*rslh)) {
 		LOGP(DLLAPD, LOGL_ERROR, "Message too short RSL hdr!\n");
+		msgb_free(msg);
 		return -EINVAL;
 	}
commit	7023aa0af972441261ccb7d8e81c412279e7eb0e	[log] [tgz]
author	Harald Welte <laforge@gnumonks.org>	Sun May 19 12:17:06 2019 +0200
committer	Harald Welte <laforge@gnumonks.org>	Sun May 19 12:19:02 2019 +0200
tree	f45d6836778a8e5d6342c81b552b4e6a1dc297ab
parent	8006f5393e21750558a01c780641831d925382ee [diff] [blame]