From d78d9d5553ef2e0bd086d2e1d38058965d08f93a Mon Sep 17 00:00:00 2001
From: Neels Hofmeyr <neels@hofmeyr.de>
Date: Tue, 13 Mar 2018 18:03:15 +0100
Subject: trans_free: safeguard against a still running CC timer on free

Make sure to deactivate trans.cc.timer when freeing a CC transaction.
Log an error if should be necessary.

This prevents a segfault when we receive a BSSMAP Clear Request from BSC during
an ongoing CC operation. The BSSMAP Clear Request currently triggers immediate
freeing of the conn, while we should still do a graceful release first. While
this patch does not fix the underlying error, it does prevent the MSC from
crashing due to a stale timer, whatever the cause might be.

Related: OS#3062
Change-Id: I86b666f23402a6d94af2d903e514770d1fd5157f
---
 src/libmsc/transaction.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/src/libmsc/transaction.c b/src/libmsc/transaction.c
index f500326c9..cdaba9c79 100644
--- a/src/libmsc/transaction.c
+++ b/src/libmsc/transaction.c
@@ -121,6 +121,15 @@ void trans_free(struct gsm_trans *trans)
 	switch (trans->protocol) {
 	case GSM48_PDISC_CC:
 		_gsm48_cc_trans_free(trans);
+		if (osmo_timer_pending(&trans->cc.timer)) {
+			LOGP(DCC, LOGL_ERROR,
+			     "%s Timer 0x%x is still running while discarding transaction"
+			     " -- this is a bug: we were still expecting a response but"
+			     " are freeing the transaction anyway\n",
+			     vlr_subscr_name(trans->conn->vsub), trans->cc.Tcurrent);
+			osmo_timer_del(&trans->cc.timer);
+			trans->cc.Tcurrent = 0;
+		}
 		conn_usage_token = MSC_CONN_USE_TRANS_CC;
 		break;
 	case GSM48_PDISC_SMS:
-- 
cgit v1.2.3