From 815945550685249aa002ef55b9ef990faa10ee0e Mon Sep 17 00:00:00 2001 From: Holger Hans Peter Freyther Date: Tue, 4 Aug 2015 11:37:30 +0200 Subject: subscr: Fix potential subscr ref count issue In case the subscriber is currently busy we would omit the subscr_put. This seems to be very hard to hit as the subscr need to be active and at the same time be selected for the purge operation. --- openbsc/src/libmsc/gsm_subscriber.c | 1 + 1 file changed, 1 insertion(+) diff --git a/openbsc/src/libmsc/gsm_subscriber.c b/openbsc/src/libmsc/gsm_subscriber.c index 442e84c4c..57c10cf7e 100644 --- a/openbsc/src/libmsc/gsm_subscriber.c +++ b/openbsc/src/libmsc/gsm_subscriber.c @@ -353,6 +353,7 @@ static void subscr_expire_callback(void *data, long long unsigned int id) LOGP(DMM, LOGL_DEBUG, "Not expiring subscriber %s (ID %llu)\n", subscr_name(s), id); subscr_update_expire_lu(s, conn->bts); + subscr_put(s); return; } -- cgit v1.2.3 From 5425e5ea27e3d5b4ce43c1e2ae40252dd14ddfb0 Mon Sep 17 00:00:00 2001 From: Holger Hans Peter Freyther Date: Tue, 4 Aug 2015 12:22:56 +0200 Subject: subscr: Fix subscr refcount issue in case of message error In case the SMPP payload didn't include the right fields we would leak the subscr reference count. --- openbsc/src/libmsc/smpp_openbsc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/openbsc/src/libmsc/smpp_openbsc.c b/openbsc/src/libmsc/smpp_openbsc.c index 057a9d048..a2fa0f4b5 100644 --- a/openbsc/src/libmsc/smpp_openbsc.c +++ b/openbsc/src/libmsc/smpp_openbsc.c @@ -110,6 +110,7 @@ static int submit_to_sms(struct gsm_sms **psms, struct gsm_network *net, /* ERROR: we cannot have both! */ LOGP(DLSMS, LOGL_ERROR, "SMPP Cannot have payload in " "TLV _and_ in the header\n"); + subscr_put(dest); return ESME_ROPTPARNOTALLWD; } sms_msg = t->value.octet; @@ -120,6 +121,7 @@ static int submit_to_sms(struct gsm_sms **psms, struct gsm_network *net, } else { LOGP(DLSMS, LOGL_ERROR, "SMPP neither message payload nor valid sm_length.\n"); + subscr_put(dest); return ESME_RINVPARLEN; } -- cgit v1.2.3