diff options
| author | Holger Hans Peter Freyther <zecke@selfish.org> | 2010-05-16 16:30:42 +0800 |
|---|---|---|
| committer | Holger Hans Peter Freyther <zecke@selfish.org> | 2010-05-16 20:45:15 +0800 |
| commit | ddbb5a4e1ea2199f633e93df758639d61ec1028c (patch) | |
| tree | 1ec9fbd17850ae4a49ba85c510e7a3229c11146c /openbsc | |
| parent | 75042b80be042be97043587463cb0f4cdce93256 (diff) | |
[nat] Do not access the con after the removal
In case of a RLC message we will destroy the SCCP connection. This means
that accessing the con and con->bsc will access old memory. Keep the status
local and move the con into an inner scope.
Diffstat (limited to 'openbsc')
| -rw-r--r-- | openbsc/src/nat/bsc_nat.c | 18 |
1 files changed, 15 insertions, 3 deletions
diff --git a/openbsc/src/nat/bsc_nat.c b/openbsc/src/nat/bsc_nat.c index e2f15e79e..615654c4d 100644 --- a/openbsc/src/nat/bsc_nat.c +++ b/openbsc/src/nat/bsc_nat.c @@ -608,8 +608,9 @@ static void ipaccess_auth_bsc(struct tlv_parsed *tvp, struct bsc_connection *bsc static int forward_sccp_to_msc(struct bsc_connection *bsc, struct msgb *msg) { + int con_found = 0; + struct bsc_connection *con_bsc = NULL; int con_type; - struct sccp_connections *con; struct bsc_nat_parsed *parsed; /* Parse and filter messages */ @@ -637,6 +638,7 @@ static int forward_sccp_to_msc(struct bsc_connection *bsc, struct msgb *msg) /* modify the SCCP entries */ if (parsed->ipa_proto == IPAC_PROTO_SCCP) { + struct sccp_connections *con; switch (parsed->sccp_type) { case SCCP_MSG_TYPE_CR: if (bsc_nat_filter_sccp_cr(bsc, msg, parsed, &con_type) != 0) @@ -645,6 +647,8 @@ static int forward_sccp_to_msc(struct bsc_connection *bsc, struct msgb *msg) goto exit2; con = patch_sccp_src_ref_to_msc(msg, parsed, bsc); con->con_type = con_type; + con_found = 1; + con_bsc = con->bsc; break; case SCCP_MSG_TYPE_RLSD: case SCCP_MSG_TYPE_CREF: @@ -652,9 +656,17 @@ static int forward_sccp_to_msc(struct bsc_connection *bsc, struct msgb *msg) case SCCP_MSG_TYPE_CC: case SCCP_MSG_TYPE_IT: con = patch_sccp_src_ref_to_msc(msg, parsed, bsc); + if (con) { + con_found = 1; + con_bsc = con->bsc; + } break; case SCCP_MSG_TYPE_RLC: con = patch_sccp_src_ref_to_msc(msg, parsed, bsc); + if (con) { + con_found = 1; + con_bsc = con->bsc; + } remove_sccp_src_ref(bsc, msg, parsed); break; case SCCP_MSG_TYPE_UDT: @@ -675,9 +687,9 @@ static int forward_sccp_to_msc(struct bsc_connection *bsc, struct msgb *msg) goto exit2; } - if (con && con->bsc != bsc) { + if (con_found && con_bsc != bsc) { LOGP(DNAT, LOGL_ERROR, "The connection belongs to a different BTS: input: %d con: %d\n", - bsc->cfg->nr, con->bsc->cfg->nr); + bsc->cfg->nr, con_bsc->cfg->nr); goto exit2; } |