diff options
authorNeels Hofmeyr <neels@hofmeyr.de>2018-12-21 01:35:21 +0100
committergsmevent admin <admin@gsmevent.box>2018-12-24 15:45:50 +0100
commitc1c4a1320602ce121246e09a399122529c6d9ebc (patch)
parent7cd1b89fd3f26d19cfcc190806173bad0bd61981 (diff)
release RTP stream only for matching CC transaction
Do not break the currently ongoing call when rejecting a second incoming caller. There may be multiple (up to seven) simultaneous CC transactions, and there is one mgcp_ctx for the currently active RTP stream. Release the MGCP context only when the active CC transaction is releasing. Before this patch, any CC transaction release would destroy the single MGCP context, possibly breaking the currently ongoing call (another CC trans). This also fixes a possible use-after-free if there were pending MGCP message responses for the MGCP context; they are canceled properly for a released transaction, but since one transaction would free the other transaction's MGCP state, the clean up did not take place and possibly caused an mgcp client response handling to access a freed mgcp_ctx. Related: OS#3735 Change-Id: I1f8746e7babfcd3028a4d2c0ba260c608c686c76
1 files changed, 6 insertions, 0 deletions
diff --git a/src/libmsc/msc_mgcp.c b/src/libmsc/msc_mgcp.c
index 6170c108c..23e68e7b4 100644
--- a/src/libmsc/msc_mgcp.c
+++ b/src/libmsc/msc_mgcp.c
@@ -1164,6 +1164,12 @@ int msc_mgcp_call_release(struct gsm_trans *trans)
return -EINVAL;
+ if (mgcp_ctx->trans != trans) {
+ LOGP(DMGCP, LOGL_DEBUG, "(ti %02x %s) call release for background CC transaction\n",
+ trans->transaction_id, vlr_subscr_name(trans->vsub));
+ return 0;
+ }
LOGP(DMGCP, LOGL_DEBUG, "(ti %02x %s) Call release: tearing down MGW endpoint\n",
trans->transaction_id, vlr_subscr_name(trans->vsub));