From c0a0ec494ff2dfdf2a28f38b382505da72d405d4 Mon Sep 17 00:00:00 2001 From: Harald Welte Date: Mon, 4 Mar 2019 22:32:52 +0100 Subject: ipa: Make ipa_server_conn_destroy() re-entrant In some situations, the user code called by the closed_cb call-back might be tempted to call itself ipa_server_conn_destroy(), which would lead to a double-llist_del during osmo_fd_unregister() and also a subsequent double talloc_free(). Let's prevent such misuse by existing early in such situations. Change-Id: I0fef264ed5b4218906cdbca243ffa11b891025c6 --- src/input/ipa.c | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'src/input') diff --git a/src/input/ipa.c b/src/input/ipa.c index e41ec42..25eeb4a 100644 --- a/src/input/ipa.c +++ b/src/input/ipa.c @@ -503,7 +503,12 @@ err: void ipa_server_conn_destroy(struct ipa_server_conn *conn) { + /* make the function re-entrant in case closed_cb() below somehow + * calls again into this destructor */ + if (conn->ofd.fd == -1) + return; close(conn->ofd.fd); + conn->ofd.fd = -1; msgb_free(conn->pending_msg); osmo_fd_unregister(&conn->ofd); if (conn->closed_cb) -- cgit v1.2.3