From c2fec69baabf545cfb8a5df622a5aaafefce310c Mon Sep 17 00:00:00 2001 From: Alexander Couzens Date: Sat, 4 Sep 2021 01:10:46 +0200 Subject: gprs_ns2: also prevent recursive events when SGSN side cleans up When cleaning up the SGSN side (e.g. receiving a SNS SIZE PDU) the clean up will result in a use-after-free bug when the SGSN side is still alive. Change-Id: I0f57dd0577d1fc7bd270f58e15f6f22eb130ef59 --- src/gb/gprs_ns2_sns.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/gb/gprs_ns2_sns.c b/src/gb/gprs_ns2_sns.c index 3eff0f3a..281f908e 100644 --- a/src/gb/gprs_ns2_sns.c +++ b/src/gb/gprs_ns2_sns.c @@ -2732,6 +2732,7 @@ static void ns2_clear_sgsn(struct ns2_sns_state *gss, struct gprs_ns2_vc *size_n ns2_clear_procedures(gss); ns2_clear_elems(&gss->local); ns2_clear_elems(&gss->remote); + gss->block_no_nsvc_events = true; llist_for_each_entry_safe(nsvc, nsvc2, &gss->nse->nsvc, list) { /* Ignore the NSVC over which the SIZE PDU got received */ if (size_nsvc && size_nsvc == nsvc) @@ -2739,6 +2740,7 @@ static void ns2_clear_sgsn(struct ns2_sns_state *gss, struct gprs_ns2_vc *size_n gprs_ns2_free_nsvc(nsvc); } + gss->block_no_nsvc_events = false; } static void ns2_sns_st_sgsn_unconfigured_onenter(struct osmo_fsm_inst *fi, uint32_t old_state) -- cgit v1.2.3