mgcp: be sure that pending mgcp transactions are canceled before free

When the FSM reaches ST_HALT it frees itsself and all context
information but it is not ensured that there are still pending
MGW transactions that might hit late and eventually cause a use after
free situation.

- if an MGW transaction is still pending, cancel it.

Change-Id: I8ff55e48a95cc4c556a97ad2593bad1cc1aa69bd

1 files changed, 7 insertions, 0 deletions

diff --git a/src/libmsc/msc_mgcp.c b/src/libmsc/msc_mgcp.c
index 738d1b806..0790b2bc4 100644
--- a/src/libmsc/msc_mgcp.c
+++ b/src/libmsc/msc_mgcp.c
@@ -781,8 +781,11 @@ static void mgw_dlcx_all_resp_cb(struct mgcp_response *r, void *priv)
 static void fsm_halt_cb(struct osmo_fsm_inst *fi, uint32_t event, void *data)
 {
 	struct mgcp_ctx *mgcp_ctx = data;
+	struct mgcp_client *mgcp;
 
 	OSMO_ASSERT(mgcp_ctx);
+	mgcp = mgcp_ctx->mgcp;
+	OSMO_ASSERT(mgcp);
 
 	/* NOTE: We must not free the context information now, we have to
 	 * wait until msc_mgcp_call_release() is called. Then we are sure
@@ -792,6 +795,10 @@ static void fsm_halt_cb(struct osmo_fsm_inst *fi, uint32_t event, void *data)
 	 * so lets keep the context info until we are explicitly asked for
 	 * throwing it away. */
 	if (mgcp_ctx->free_ctx) {
+		/* Be sure that there is no pending MGW transaction */
+		mgcp_client_cancel(mgcp, mgcp_ctx->mgw_pending_trans);
+
+		/* Free FSM and its context information  */
 		osmo_fsm_inst_free(mgcp_ctx->fsm);
 		talloc_free(mgcp_ctx);
 		return;