From 80c37bd8068526486ff9e4328ac4c1b3f42b3d8a Mon Sep 17 00:00:00 2001 From: Holger Hans Peter Freyther Date: Sat, 6 Aug 2011 14:52:56 +0200 Subject: bsc: Fix crash that can occur on RF Failure When we got a clear request we did not clear the internal association between the gsm_subscriber_connection and the SCCP part. When we got a DTAP message before the CLEAR COMMAND we will end up in a crash as the ->bts pointer of the connection has been cleared. #0 bsc_scan_msc_msg (conn=0xde178, msg=) at osmo_bsc_filter.c:258 #1 0x000112c8 in bsc_handle_dt1 (conn=0xdebd8, msg=0xd1f58, len=) at osmo_bsc_bssap.c:507 #2 0x00010208 in msc_outgoing_sccp_data (conn=, msg=0xdfacc, len=858696) at osmo_bsc_sccp.c:73 #3 0x0003c110 in sccp_system_incoming (msgb=0xd1f58) at sccp.c:1064 --- openbsc/src/osmo-bsc/osmo_bsc_api.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) (limited to 'openbsc/src/osmo-bsc/osmo_bsc_api.c') diff --git a/openbsc/src/osmo-bsc/osmo_bsc_api.c b/openbsc/src/osmo-bsc/osmo_bsc_api.c index d02b0b5e4..2869f4756 100644 --- a/openbsc/src/osmo-bsc/osmo_bsc_api.c +++ b/openbsc/src/osmo-bsc/osmo_bsc_api.c @@ -159,19 +159,28 @@ static void bsc_assign_fail(struct gsm_subscriber_connection *conn, static int bsc_clear_request(struct gsm_subscriber_connection *conn, uint32_t cause) { + struct osmo_bsc_sccp_con *sccp; struct msgb *resp; return_when_not_connected_val(conn, 1); LOGP(DMSC, LOGL_INFO, "Tx MSC CLEAR REQUEST\n"); + /* + * Remove the connection from BSC<->SCCP part, the SCCP part + * will either be cleared by channel release or MSC disconnect + */ + sccp = conn->sccp_con; + sccp->conn = NULL; + conn->sccp_con = NULL; + resp = gsm0808_create_clear_rqst(GSM0808_CAUSE_RADIO_INTERFACE_FAILURE); if (!resp) { LOGP(DMSC, LOGL_ERROR, "Failed to allocate response.\n"); - return 0; + return 1; } - bsc_queue_for_msc(conn->sccp_con, resp); - return 0; + bsc_queue_for_msc(sccp, resp); + return 1; } static struct bsc_api bsc_handler = { -- cgit v1.2.3