From 05c68841a835b3bbc5a95fa809e136e4e376154c Mon Sep 17 00:00:00 2001
From: Holger Hans Peter Freyther <zecke@selfish.org>
Date: Wed, 3 Nov 2010 19:01:58 +0100
Subject: bsc_api: Fix a use after free error in the Clear Request path

The implementation of bsc_hack would call subscr_con_free before
the BSC API has had the chance to call gsm0808_clear to try to
release other channels. Fix that by adding a return value.
---
 openbsc/src/osmo_msc.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'openbsc/src/osmo_msc.c')

diff --git a/openbsc/src/osmo_msc.c b/openbsc/src/osmo_msc.c
index 1fad510fe..0ed973b10 100644
--- a/openbsc/src/osmo_msc.c
+++ b/openbsc/src/osmo_msc.c
@@ -36,9 +36,10 @@ static void msc_sapi_n_reject(struct gsm_subscriber_connection *conn, int dlci)
 		gsm411_sapi_n_reject(conn);
 }
 
-static void msc_clear_request(struct gsm_subscriber_connection *conn, uint32_t cause)
+static int msc_clear_request(struct gsm_subscriber_connection *conn, uint32_t cause)
 {
 	gsm0408_clear_request(conn, cause);
+	return 1;
 }
 
 static int msc_compl_l3(struct gsm_subscriber_connection *conn, struct msgb *msg,
-- 
cgit v1.2.3