gprs_ns2: free_nse: free the SNS fsm early

If the SNS fsm isn't freed early, the SNS code will re-create a NSVC when calling free_nsvc(). Fixes libasan heap-use-after-free. Change-Id: If350df1d8d6dcea5715dd23b8bd1d684098cdb1f
author: Alexander Couzens <lynxis@fe80.eu> 2021-02-19 12:56:35 +0100
committer: Alexander Couzens <lynxis@fe80.eu> 2021-02-19 12:57:23 +0100
commit: 2665388e2678f0f19e3cede6705d1cac02b52189 (patch)
tree: d99604c452b99526ea3683f86fe1b420f0b45776
parent: 662d10dcdaa471dcdfa244802395a1e261e6f8df (diff)
1 files changed, 5 insertions, 2 deletions
diff --git a/src/gb/gprs_ns2.c b/src/gb/gprs_ns2.c
index c48575b3..a79dd05f 100644
--- a/src/gb/gprs_ns2.c
+++ b/src/gb/gprs_ns2.c
@@ -831,12 +831,15 @@ void gprs_ns2_free_nse(struct gprs_ns2_nse *nse)
 		return;
 
 	nse->alive = false;
+	if (nse->bss_sns_fi) {
+		osmo_fsm_inst_term(nse->bss_sns_fi, OSMO_FSM_TERM_REQUEST, NULL);
+		nse->bss_sns_fi = NULL;
+	}
+
 	gprs_ns2_free_nsvcs(nse);
 	ns2_prim_status_ind(nse, NULL, 0, GPRS_NS2_AFF_CAUSE_FAILURE);
 
 	llist_del(&nse->list);
-	if (nse->bss_sns_fi)
-		osmo_fsm_inst_term(nse->bss_sns_fi, OSMO_FSM_TERM_REQUEST, NULL);
 	talloc_free(nse);
 }
author	Alexander Couzens <lynxis@fe80.eu>	2021-02-19 12:56:35 +0100
committer	Alexander Couzens <lynxis@fe80.eu>	2021-02-19 12:57:23 +0100
commit	2665388e2678f0f19e3cede6705d1cac02b52189 (patch)
tree	d99604c452b99526ea3683f86fe1b420f0b45776
parent	662d10dcdaa471dcdfa244802395a1e261e6f8df (diff)