gsm_subscriber_base: Take a ref on the subscriber to avoid use after free

On expired paging we might access a GSM Subscriber that has already been deleted. To avoid this we will add a subscr_get/subscr_put for the subscriber to the allocation and release path of the request. Reported-by: Richard Zahoransky
author: Holger Hans Peter Freyther <zecke@selfish.org> 2010-06-30 09:22:31 +0800
committer: Holger Hans Peter Freyther <zecke@selfish.org> 2010-06-30 11:59:29 +0800
commit: 66efcbce659239a9d47e893293e88a9dc7cd8251 (patch)
tree: 128ec44eb0b65c3a504a97a67f373f7bf0f9232b
parent: 93d50e69d37b3e3bd5cd41967705b8645cfefdec (diff)
1 files changed, 4 insertions, 2 deletions
diff --git a/openbsc/src/gsm_subscriber_base.c b/openbsc/src/gsm_subscriber_base.c
index 50e6865bf..c06b1ce6b 100644
--- a/openbsc/src/gsm_subscriber_base.c
+++ b/openbsc/src/gsm_subscriber_base.c
@@ -1,7 +1,8 @@
 /* The concept of a subscriber as seen by the BSC */
 
 /* (C) 2008 by Harald Welte <laforge@gnumonks.org>
- * (C) 2009 by Holger Hans Peter Freyther <zecke@selfish.org>
+ * (C) 2009-2010 by Holger Hans Peter Freyther <zecke@selfish.org>
+ * (C) 2010 by On Waves
  *
  * All Rights Reserved
  *
@@ -88,6 +89,7 @@ static int subscr_paging_cb(unsigned int hooknum, unsigned int event,
 	request->cbfn(hooknum, event, msg, data, request->param);
 	subscr->in_callback = 0;
 
+	subscr_put(subscr);
 	talloc_free(request);
 	return 0;
 }
@@ -165,7 +167,7 @@ void subscr_get_channel(struct gsm_subscriber *subscr,
 	}
 
 	memset(request, 0, sizeof(*request));
-	request->subscr = subscr;
+	request->subscr = subscr_get(subscr);
 	request->channel_type = type;
 	request->cbfn = cbfn;
 	request->param = param;
author	Holger Hans Peter Freyther <zecke@selfish.org>	2010-06-30 09:22:31 +0800
committer	Holger Hans Peter Freyther <zecke@selfish.org>	2010-06-30 11:59:29 +0800
commit	66efcbce659239a9d47e893293e88a9dc7cd8251 (patch)
tree	128ec44eb0b65c3a504a97a67f373f7bf0f9232b
parent	93d50e69d37b3e3bd5cd41967705b8645cfefdec (diff)