pdch: Fix heap-use-after-free in pdch->ulc
In existing previous code, pdch->ulc would be freed in
gprs_rlcmac_pdch::free_resources() when it became disabled as per PCUIF
info_ind (for instance, when a DYN TS is switched PDCH->SDCCH8).
However, pdch->ulc was so far only allocated during pdch_init, which is
only called during bts_alloc() time.
Hence, after first info_ind disabling it, if it became again enabled
(again by info_ind re-enabling it after SDCCH8 was not longer in use),
the pdch->ulc would be used again but it would point to freed memory.
Let's rearrange how/when resources are freed to make it more logical.
With this patch, pdch internal resources are freed upon ->disable(), and
re-allocated upon ->enable().
Change-Id: Id51f5f6a54ac9f24b784c17bc360ac38f5726fc7
diff --git a/src/pdch.h b/src/pdch.h
index cfa0195..00f0b9d 100644
--- a/src/pdch.h
+++ b/src/pdch.h
@@ -55,8 +55,6 @@
bool add_paging(uint8_t chan_needed, const struct osmo_mobile_identity *mi);
- void free_resources();
-
bool is_enabled() const;
void enable();
@@ -145,6 +143,8 @@
enum gprs_rlcmac_tbf_direction dir);
gprs_rlcmac_tbf *tbf_by_tfi(uint8_t tfi,
enum gprs_rlcmac_tbf_direction dir);
+
+ void free_resources();
#endif
uint8_t m_num_tbfs[2];
@@ -191,6 +191,7 @@
void pdch_init(struct gprs_rlcmac_pdch *pdch, struct gprs_rlcmac_trx *trx, uint8_t ts_nr);
void pdch_free_all_tbf(struct gprs_rlcmac_pdch *pdch);
void pdch_disable(struct gprs_rlcmac_pdch *pdch);
+bool pdch_is_enabled(const struct gprs_rlcmac_pdch *pdch);
#ifdef __cplusplus
}
#endif