diff options
| author | Alexander Couzens <lynxis@fe80.eu> | 2021-09-04 01:10:46 +0200 |
|---|---|---|
| committer | Alexander Couzens <lynxis@fe80.eu> | 2021-09-04 01:25:32 +0200 |
| commit | c2fec69baabf545cfb8a5df622a5aaafefce310c (patch) | |
| tree | fe391a090e2e888c893fa8d26cbb6cfdaea40744 | |
| parent | db07a4498868a9ae219d9370861066630aaf5fe9 (diff) | |
gprs_ns2: also prevent recursive events when SGSN side cleans up
When cleaning up the SGSN side (e.g. receiving a SNS SIZE PDU) the
clean up will result in a use-after-free bug when the SGSN side is still
alive.
Change-Id: I0f57dd0577d1fc7bd270f58e15f6f22eb130ef59
| -rw-r--r-- | src/gb/gprs_ns2_sns.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/src/gb/gprs_ns2_sns.c b/src/gb/gprs_ns2_sns.c index 3eff0f3a..281f908e 100644 --- a/src/gb/gprs_ns2_sns.c +++ b/src/gb/gprs_ns2_sns.c @@ -2732,6 +2732,7 @@ static void ns2_clear_sgsn(struct ns2_sns_state *gss, struct gprs_ns2_vc *size_n ns2_clear_procedures(gss); ns2_clear_elems(&gss->local); ns2_clear_elems(&gss->remote); + gss->block_no_nsvc_events = true; llist_for_each_entry_safe(nsvc, nsvc2, &gss->nse->nsvc, list) { /* Ignore the NSVC over which the SIZE PDU got received */ if (size_nsvc && size_nsvc == nsvc) @@ -2739,6 +2740,7 @@ static void ns2_clear_sgsn(struct ns2_sns_state *gss, struct gprs_ns2_vc *size_n gprs_ns2_free_nsvc(nsvc); } + gss->block_no_nsvc_events = false; } static void ns2_sns_st_sgsn_unconfigured_onenter(struct osmo_fsm_inst *fi, uint32_t old_state) |