nat: fix use after free in forward_sccp_to_bts
valgrind detected an use after free in the path of forward_sccp_to_bts.
The 'parsed' object is referenced from update_con_authorize.
diff --git a/openbsc/src/osmo-bsc_nat/bsc_nat.c b/openbsc/src/osmo-bsc_nat/bsc_nat.c
index 0496802..27ac747 100644
--- a/openbsc/src/osmo-bsc_nat/bsc_nat.c
+++ b/openbsc/src/osmo-bsc_nat/bsc_nat.c
@@ -716,15 +716,18 @@
LOGP(DNAT, LOGL_ERROR, "Unknown connection for msg type: 0x%x from the MSC.\n", parsed->sccp_type);
}
- talloc_free(parsed);
- if (!con)
+ if (!con) {
+ talloc_free(parsed);
return -1;
+ }
if (!con->bsc->authenticated) {
+ talloc_free(parsed);
LOGP(DNAT, LOGL_ERROR, "Selected BSC not authenticated.\n");
return -1;
}
update_con_authorize(con, parsed, msg);
+ talloc_free(parsed);
bsc_send_data(con->bsc, msg->l2h, msgb_l2len(msg), proto);
return 0;