nitb: Do not crash on IMSI Detach messages from a phone

This has been reported and analyzed by Tobias Engel. The IMSI Detach
is dispatched as part of the complete layer3 message. I had patched
the code to release the anchor and call msc_release_connection to
release the connection as fast as possible (otherwise the anchor would
trigger in a couple of seconds).

With commit 70ae5d3000edd12aee38497a6f541595a8c7dee8 I made this more
generic to release the connection immediately if there are no operations,
no transaction and no silent call. This leads to the subscriber connection
being released twice and eventually causing a segfault. Remove the
msc_release_connection invocation from the IMSI Detach code as the connection
will be taken down by the BSC API.

This has been tested using the FakeBTS and an IMSI Detach message. The
channel is released immediately and the nitb does not crash.

1 files changed, 0 insertions, 1 deletions

diff --git a/openbsc/src/libmsc/gsm_04_08.c b/openbsc/src/libmsc/gsm_04_08.c
index 981617458..fd482e0bd 100644
--- a/openbsc/src/libmsc/gsm_04_08.c
+++ b/openbsc/src/libmsc/gsm_04_08.c
@@ -965,7 +965,6 @@ static int gsm48_rx_mm_imsi_detach_ind(struct gsm_subscriber_connection *conn, s
 	 * imagine an IMSI DETACH happening during an active call! */
 
 	release_anchor(conn);
-	msc_release_connection(conn);
 	return 0;
 }