aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorNeels Hofmeyr <neels@hofmeyr.de>2019-09-19 05:43:21 +0200
committerNeels Hofmeyr <neels@hofmeyr.de>2019-09-19 05:46:08 +0200
commit5a4b15e169c2bc1b96a65ad58365026b08f8ba1a (patch)
tree13a0aee589d211f3f48855d0b95de1f3f88e6ca0
parentbb60905bce6e50d7935e569d37e472c1d3ad5270 (diff)
rtp_stream: fix use-after-free from wrong MGCPneels/mncc_codecs
When an MGCP message contains invalid information, msc_a may deallocate call_leg and rtp_stream during event dispatch. Make sure to not access the FSM inst anymore if that is the case. Depends: I4d8306488506c60b4c2fc1c4cb3ac04654db9c43 (libosmocore) Change-Id: Iaa8e3da2969ebb4c78bff11d0d59f01b10f341d7
-rw-r--r--src/libmsc/rtp_stream.c4
1 files changed, 4 insertions, 0 deletions
diff --git a/src/libmsc/rtp_stream.c b/src/libmsc/rtp_stream.c
index baac6e1..59b49d8 100644
--- a/src/libmsc/rtp_stream.c
+++ b/src/libmsc/rtp_stream.c
@@ -170,6 +170,10 @@ static void rtp_stream_fsm_establishing_established(struct osmo_fsm_inst *fi, ui
rtps->local_osmux_cid = crcx_info->x_osmo_osmux_cid;
rtp_stream_update_id(rtps);
osmo_fsm_inst_dispatch(fi->proc.parent, CALL_LEG_EV_RTP_STREAM_ADDR_AVAILABLE, rtps);
+ if (!osmo_fsm_inst_exists(&rtp_stream_fsm, fi)) {
+ /* Above event dispatch has deallocated this rtp_stream. Must not access it anymore. */
+ return;
+ }
check_established(rtps);
if ((!rtps->remote_sent_to_mgw || !rtps->codec_sent_to_mgw)