bsc_api: Fix a use after free error in the Clear Request path

The implementation of bsc_hack would call subscr_con_free before the BSC API has had the chance to call gsm0808_clear to try to release other channels. Fix that by adding a return value.
author: Holger Hans Peter Freyther <zecke@selfish.org> 2010-11-03 19:01:58 +0100
committer: Holger Hans Peter Freyther <zecke@selfish.org> 2010-11-15 20:06:46 +0100
commit: 05c68841a835b3bbc5a95fa809e136e4e376154c (patch)
tree: 6bd4764672fc26a77ad1cfdf66c110fcb4a11aa6 /openbsc/src/bsc_api.c
parent: 85334f1309c89cf99e6ea55ea119c5b0d143cb5f (diff)
1 files changed, 5 insertions, 1 deletions
diff --git a/openbsc/src/bsc_api.c b/openbsc/src/bsc_api.c
index 21d0ae7a3..e8f42d275 100644
--- a/openbsc/src/bsc_api.c
+++ b/openbsc/src/bsc_api.c
@@ -241,6 +241,7 @@ static int bsc_handle_lchan_signal(unsigned int subsys, unsigned int signal,
 	struct bsc_api *bsc;
 	struct gsm_lchan *lchan;
 	struct gsm_subscriber_connection *conn;
+	int destruct = 1;
 
 	if (subsys != SS_LCHAN || signal != S_LCHAN_UNEXPECTED_RELEASE)
 		return 0;
@@ -255,7 +256,7 @@ static int bsc_handle_lchan_signal(unsigned int subsys, unsigned int signal,
 
 	conn = lchan->conn;
 	if (bsc->clear_request)
-		bsc->clear_request(conn, 0);
+		destruct = bsc->clear_request(conn, 0);
 
 	/* now give up all channels */
 	if (conn->lchan == lchan)
@@ -264,6 +265,9 @@ static int bsc_handle_lchan_signal(unsigned int subsys, unsigned int signal,
 		conn->ho_lchan = NULL;
 	gsm0808_clear(conn);
 
+	if (destruct)
+		subscr_con_free(conn);
+
 	return 0;
 }
author	Holger Hans Peter Freyther <zecke@selfish.org>	2010-11-03 19:01:58 +0100
committer	Holger Hans Peter Freyther <zecke@selfish.org>	2010-11-15 20:06:46 +0100
commit	05c68841a835b3bbc5a95fa809e136e4e376154c (patch)
tree	6bd4764672fc26a77ad1cfdf66c110fcb4a11aa6 /openbsc/src/bsc_api.c
parent	85334f1309c89cf99e6ea55ea119c5b0d143cb5f (diff)