gbproxy: Reset IMSI acquisition and free stored messages in tlli_info

Currently the stored messages are only removed, when IMSI acquisition
has succeeded. In addition, receiving two ATTACH_REQ messages in
sequence (e.g. due to loss of a Identity Req/Resp message) will not
restart the IMSI acquisition procedure.

This patch adds gbproxy_tlli_info_discard_messages() to clean up the
message list and calls it from gbproxy_delete_tlli() fixing a
potential memory leak. It is also called when an Attach Request
message has been received. In that case the imsi_acq_pending flag is
cleared, too. This would (re-)trigger the IMSI acquisition procedure
at each of these messages. If an Ident Response has been lost,
resending the Ident Request with the same N(U) will not work.
Therefore the N(U) gets incremented on each Ident Request generated
by the gbproxy. The first N(U) used is 256 which shouldn't collide
with the V(UT) used by the SGSN given that P-TMSI patching is enabled
(since a new random TLLI is used initially on every new (no
tlli_info) connection and V(U) starts with zero then).

Ticket: OW#1261
Sponsored-by: On-Waves ehf

1 files changed, 12 insertions, 0 deletions

diff --git a/openbsc/src/gprs/gb_proxy_tlli.c b/openbsc/src/gprs/gb_proxy_tlli.c
index 4ceaea92a..58a45aef5 100644
--- a/openbsc/src/gprs/gb_proxy_tlli.c
+++ b/openbsc/src/gprs/gb_proxy_tlli.c
@@ -98,11 +98,23 @@ struct gbproxy_tlli_info *gbproxy_find_tlli_by_mi(
 	return NULL;
 }
 
+void gbproxy_tlli_info_discard_messages(struct gbproxy_tlli_info *tlli_info)
+{
+	struct msgb *msg, *nxt;
+
+	llist_for_each_entry_safe(msg, nxt, &tlli_info->stored_msgs, list) {
+		llist_del(&msg->list);
+		msgb_free(msg);
+	}
+}
+
 void gbproxy_delete_tlli(struct gbproxy_peer *peer,
 			 struct gbproxy_tlli_info *tlli_info)
 {
 	struct gbproxy_patch_state *state = &peer->patch_state;
 
+	gbproxy_tlli_info_discard_messages(tlli_info);
+
 	llist_del(&tlli_info->list);
 	talloc_free(tlli_info);
 	state->enabled_tllis_count -= 1;