sgsn: Free MM context after receiving a Detach Request

On a Detach/Re-attach cycle the Address Sanitizer detected a use-after-free kind of problem. That is because we tried to destroy the LLME twice. The first time it is destroyed as part of the Detach handling ans the second time it is destroyed as part of destroying the old MM context. In case the GPRS GMM detach message is lost the SGSN needs to reply besides not having a MM entry. The alternative would have been to add NULL checks for all usages of ctx->llme which would not have helped with the readability. Sponsored-by: On-Waves ehf
author: Jacob Erlbeck <jerlbeck@sysmocom.de> 2014-09-30 13:51:45 +0200
committer: Holger Hans Peter Freyther <holger@moiji-mobile.com> 2014-10-09 17:22:34 +0200
commit: 258ce3ded57e742889122c68d6a217d14a95edcc (patch)
tree: a6067954c0bb7a7aa8e116a7cb1af384ec142649 /openbsc/tests/sgsn/sgsn_test.c
parent: fe9213313219e506d4c0ed538b0b03cd85814b08 (diff)
1 files changed, 1 insertions, 3 deletions
diff --git a/openbsc/tests/sgsn/sgsn_test.c b/openbsc/tests/sgsn/sgsn_test.c
index 30ed1d94a..a38b1460f 100644
--- a/openbsc/tests/sgsn/sgsn_test.c
+++ b/openbsc/tests/sgsn/sgsn_test.c
@@ -141,9 +141,7 @@ static void test_gmm_detach(void)
 	/* verify that things are gone */
 	OSMO_ASSERT(count(gprs_llme_list()) == 0);
 	ictx = sgsn_mm_ctx_by_tlli(local_tlli, &raid);
-	/* this is still wrong and needs to be changed */
-	OSMO_ASSERT(ictx);
-	OSMO_ASSERT(ictx->llme == lle->llme);
+	OSMO_ASSERT(!ictx);
 }
 
 static struct log_info_cat gprs_categories[] = {
author	Jacob Erlbeck <jerlbeck@sysmocom.de>	2014-09-30 13:51:45 +0200
committer	Holger Hans Peter Freyther <holger@moiji-mobile.com>	2014-10-09 17:22:34 +0200
commit	258ce3ded57e742889122c68d6a217d14a95edcc (patch)
tree	a6067954c0bb7a7aa8e116a7cb1af384ec142649 /openbsc/tests/sgsn/sgsn_test.c
parent	fe9213313219e506d4c0ed538b0b03cd85814b08 (diff)