sgsn: Free MM context after receiving a Detach Request

On a Detach/Re-attach cycle the Address Sanitizer detected a use-after-free kind of problem. That is because we tried to destroy the LLME twice. The first time it is destroyed as part of the Detach handling ans the second time it is destroyed as part of destroying the old MM context. In case the GPRS GMM detach message is lost the SGSN needs to reply besides not having a MM entry. The alternative would have been to add NULL checks for all usages of ctx->llme which would not have helped with the readability. Sponsored-by: On-Waves ehf
author: Jacob Erlbeck <jerlbeck@sysmocom.de> 2014-09-30 13:51:45 +0200
committer: Holger Hans Peter Freyther <holger@moiji-mobile.com> 2014-10-09 17:22:34 +0200
commit: 258ce3ded57e742889122c68d6a217d14a95edcc (patch)
tree: a6067954c0bb7a7aa8e116a7cb1af384ec142649 /openbsc/src/gprs/gprs_gmm.c
parent: fe9213313219e506d4c0ed538b0b03cd85814b08 (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/openbsc/src/gprs/gprs_gmm.c b/openbsc/src/gprs/gprs_gmm.c
index ec639dc1b..a2d61cfe9 100644
--- a/openbsc/src/gprs/gprs_gmm.c
+++ b/openbsc/src/gprs/gprs_gmm.c
@@ -808,6 +808,8 @@ static int gsm48_rx_gmm_det_req(struct sgsn_mm_ctx *ctx, struct msgb *msg)
 	gprs_llgmm_assign(ctx->llme, ctx->tlli, 0xffffffff,
 			  GPRS_ALGO_GEA0, NULL);
 
+	sgsn_mm_ctx_free(ctx);
+
 	return rc;
 }
 
@@ -1575,6 +1577,8 @@ int gsm0408_gprs_rcvmsg(struct msgb *msg, struct gprs_llc_llme *llme)
 		break;
 	}
 
+	/* MMCTX can be invalid */
+
 	return rc;
 }
author	Jacob Erlbeck <jerlbeck@sysmocom.de>	2014-09-30 13:51:45 +0200
committer	Holger Hans Peter Freyther <holger@moiji-mobile.com>	2014-10-09 17:22:34 +0200
commit	258ce3ded57e742889122c68d6a217d14a95edcc (patch)
tree	a6067954c0bb7a7aa8e116a7cb1af384ec142649 /openbsc/src/gprs/gprs_gmm.c
parent	fe9213313219e506d4c0ed538b0b03cd85814b08 (diff)