bsc_msc_ip: Crash fix on MO-Call starting with a SDCCH

We do not assing a GSM Subscriber to Mobile Originated calls, when
requesting a SDCCH and then starting call control we will crash here
due trying to copy a NULL subscriber from the lchan to the other.

We do not need to know the IMSI at the BSC so it is okay to not
copy the subscriber around, we could even kill all subscriber handling
in the future.

2 files changed, 6 insertions, 3 deletions

diff --git a/openbsc/src/bsc_msc_ip.c b/openbsc/src/bsc_msc_ip.c
index d63041401..46796c192 100644
--- a/openbsc/src/bsc_msc_ip.c
+++ b/openbsc/src/bsc_msc_ip.c
@@ -372,7 +372,8 @@ static int handle_ass_compl(struct msgb *msg)
 	old_chan->msc_data = NULL;
 
 	/* give up the old channel to not do a SACCH deactivate */
-	subscr_put(old_chan->conn.subscr);
+	if (old_chan->conn.subscr)
+		subscr_put(old_chan->conn.subscr);
 	old_chan->conn.subscr = NULL;
 	put_subscr_con(&old_chan->conn, 1);
 
diff --git a/openbsc/src/bssap.c b/openbsc/src/bssap.c
index 1c84073da..73d225cec 100644
--- a/openbsc/src/bssap.c
+++ b/openbsc/src/bssap.c
@@ -289,7 +289,8 @@ static void bssmap_free_secondary(struct bss_sccp_connection_data *data)
 	lchan->msc_data = NULL;
 
 	/* give up the new channel to not do a SACCH deactivate */
-	subscr_put(lchan->conn.subscr);
+	if (lchan->conn.subscr)
+		subscr_put(lchan->conn.subscr);
 	lchan->conn.subscr = NULL;
 	put_subscr_con(&lchan->conn, 1);
 }
@@ -414,7 +415,8 @@ static int handle_new_assignment(struct msgb *msg, int full_rate, int chan_mode)
 	memcpy(&new_lchan->encr, &msg->lchan->encr, sizeof(new_lchan->encr));
 	new_lchan->ms_power = msg->lchan->ms_power;
 	new_lchan->bs_power = msg->lchan->bs_power;
-	new_lchan->conn.subscr = subscr_get(msg->lchan->conn.subscr);
+	if (msg->lchan->conn.subscr)
+		new_lchan->conn.subscr = subscr_get(msg->lchan->conn.subscr);
 
 	/* copy new data to it */
 	use_subscr_con(&new_lchan->conn);