path: root/openbsc/src
diff options
authorHolger Hans Peter Freyther <zecke@selfish.org>2011-08-06 14:52:56 +0200
committerHolger Hans Peter Freyther <zecke@selfish.org>2012-05-02 19:24:30 +0200
commit9ee4cf75e4f68b1adc4b00441fc06aa524fd85b0 (patch)
treeaba8ca7a7ec88df40302ae141cf6bbb6e32b8b93 /openbsc/src
parent130f88596feac5740e1bc77d86e13320750b006f (diff)
bsc: Fix crash that can occur on RF Failure
When we got a clear request we did not clear the internal association between the gsm_subscriber_connection and the SCCP part. When we got a DTAP message before the CLEAR COMMAND we will end up in a crash as the ->bts pointer of the connection has been cleared. #0 bsc_scan_msc_msg (conn=0xde178, msg=<value optimized out>) at osmo_bsc_filter.c:258 #1 0x000112c8 in bsc_handle_dt1 (conn=0xdebd8, msg=0xd1f58, len=<value optimized out>) at osmo_bsc_bssap.c:507 #2 0x00010208 in msc_outgoing_sccp_data (conn=<value optimized out>, msg=0xdfacc, len=858696) at osmo_bsc_sccp.c:73 #3 0x0003c110 in sccp_system_incoming (msgb=0xd1f58) at sccp.c:1064
Diffstat (limited to 'openbsc/src')
1 files changed, 12 insertions, 3 deletions
diff --git a/openbsc/src/osmo-bsc/osmo_bsc_api.c b/openbsc/src/osmo-bsc/osmo_bsc_api.c
index e48458ab7..71f1abfc2 100644
--- a/openbsc/src/osmo-bsc/osmo_bsc_api.c
+++ b/openbsc/src/osmo-bsc/osmo_bsc_api.c
@@ -281,19 +281,28 @@ static void bsc_assign_fail(struct gsm_subscriber_connection *conn,
static int bsc_clear_request(struct gsm_subscriber_connection *conn, uint32_t cause)
+ struct osmo_bsc_sccp_con *sccp;
struct msgb *resp;
return_when_not_connected_val(conn, 1);
+ /*
+ * Remove the connection from BSC<->SCCP part, the SCCP part
+ * will either be cleared by channel release or MSC disconnect
+ */
+ sccp = conn->sccp_con;
+ sccp->conn = NULL;
+ conn->sccp_con = NULL;
resp = gsm0808_create_clear_rqst(GSM0808_CAUSE_RADIO_INTERFACE_FAILURE);
if (!resp) {
LOGP(DMSC, LOGL_ERROR, "Failed to allocate response.\n");
- return 0;
+ return 1;
- bsc_queue_for_msc(conn->sccp_con, resp);
- return 0;
+ bsc_queue_for_msc(sccp, resp);
+ return 1;
static void bsc_mr_config(struct gsm_subscriber_connection *conn,