From 2665388e2678f0f19e3cede6705d1cac02b52189 Mon Sep 17 00:00:00 2001
From: Alexander Couzens <lynxis@fe80.eu>
Date: Fri, 19 Feb 2021 12:56:35 +0100
Subject: gprs_ns2: free_nse: free the SNS fsm early

If the SNS fsm isn't freed early, the SNS code will re-create a NSVC
when calling free_nsvc().
Fixes libasan heap-use-after-free.

Change-Id: If350df1d8d6dcea5715dd23b8bd1d684098cdb1f
---
 src/gb/gprs_ns2.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/src/gb/gprs_ns2.c b/src/gb/gprs_ns2.c
index c48575b3..a79dd05f 100644
--- a/src/gb/gprs_ns2.c
+++ b/src/gb/gprs_ns2.c
@@ -831,12 +831,15 @@ void gprs_ns2_free_nse(struct gprs_ns2_nse *nse)
 		return;
 
 	nse->alive = false;
+	if (nse->bss_sns_fi) {
+		osmo_fsm_inst_term(nse->bss_sns_fi, OSMO_FSM_TERM_REQUEST, NULL);
+		nse->bss_sns_fi = NULL;
+	}
+
 	gprs_ns2_free_nsvcs(nse);
 	ns2_prim_status_ind(nse, NULL, 0, GPRS_NS2_AFF_CAUSE_FAILURE);
 
 	llist_del(&nse->list);
-	if (nse->bss_sns_fi)
-		osmo_fsm_inst_term(nse->bss_sns_fi, OSMO_FSM_TERM_REQUEST, NULL);
 	talloc_free(nse);
 }
 
-- 
cgit v1.2.3