tbf: Fix dangling m_new_tbf pointer Currently if a 'new' TBF is freed before the 'old' one (where old_tbf->m_new_tbf == new_tbf), the old_tbf->m_new_tbf is not cleared and can be accessed later on. This can lead to inconsistencies or segmentation faults. This commit adds m_old_tbf which points back from new_tbf to old_pdf. m_new_tbf and m_old_tbf are either both set to NULL or one is the reverse pointer of the other (tbf->m_new_tbf->m_old_tbf == tbf and tbf->m_old_tbf->m_new_tbf == tbf). It extends set_new_tbf and tbf_free to update the pointee accordingly. The TBF test is extended to check this invariant at several places. Sponsored-by: On-Waves ehf

commit: 08fe76a89334ddc4ee906bd30a00d908745b2b7b [log] [tgz]
author: Jacob Erlbeck <jerlbeck@sysmocom.de> Mon Feb 23 15:10:20 2015 +0100
committer: Jacob Erlbeck <jerlbeck@sysmocom.de> Mon Feb 23 15:10:20 2015 +0100
tree: d212ba153787c14d6f9209cd5fbea24da16db20f
parent: 5e9f40d3d9c29446ca1386f2198057fb8a914370 [diff] [blame]
diff --git a/src/tbf.h b/src/tbf.h
index 69f1f05..1bea31d 100644
--- a/src/tbf.h
+++ b/src/tbf.h

@@ -169,6 +169,7 @@
 	enum gprs_rlcmac_tbf_ul_ack_state ul_ack_state;
 
 	gprs_rlcmac_tbf *m_new_tbf;
+	gprs_rlcmac_tbf *m_old_tbf; /* reverse pointer for m_new_tbf */
 
 	enum gprs_rlcmac_tbf_poll_state poll_state;
 	uint32_t poll_fn; /* frame number to poll */
commit	08fe76a89334ddc4ee906bd30a00d908745b2b7b	[log] [tgz]
author	Jacob Erlbeck <jerlbeck@sysmocom.de>	Mon Feb 23 15:10:20 2015 +0100
committer	Jacob Erlbeck <jerlbeck@sysmocom.de>	Mon Feb 23 15:10:20 2015 +0100
tree	d212ba153787c14d6f9209cd5fbea24da16db20f
parent	5e9f40d3d9c29446ca1386f2198057fb8a914370 [diff] [blame]