diff options
author | Holger Hans Peter Freyther <zecke@selfish.org> | 2010-11-03 19:01:58 +0100 |
---|---|---|
committer | Holger Hans Peter Freyther <zecke@selfish.org> | 2010-11-15 20:06:46 +0100 |
commit | 05c68841a835b3bbc5a95fa809e136e4e376154c (patch) | |
tree | 6bd4764672fc26a77ad1cfdf66c110fcb4a11aa6 /openbsc/src/bsc_api.c | |
parent | 85334f1309c89cf99e6ea55ea119c5b0d143cb5f (diff) |
bsc_api: Fix a use after free error in the Clear Request path
The implementation of bsc_hack would call subscr_con_free before
the BSC API has had the chance to call gsm0808_clear to try to
release other channels. Fix that by adding a return value.
Diffstat (limited to 'openbsc/src/bsc_api.c')
-rw-r--r-- | openbsc/src/bsc_api.c | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/openbsc/src/bsc_api.c b/openbsc/src/bsc_api.c index 21d0ae7a3..e8f42d275 100644 --- a/openbsc/src/bsc_api.c +++ b/openbsc/src/bsc_api.c @@ -241,6 +241,7 @@ static int bsc_handle_lchan_signal(unsigned int subsys, unsigned int signal, struct bsc_api *bsc; struct gsm_lchan *lchan; struct gsm_subscriber_connection *conn; + int destruct = 1; if (subsys != SS_LCHAN || signal != S_LCHAN_UNEXPECTED_RELEASE) return 0; @@ -255,7 +256,7 @@ static int bsc_handle_lchan_signal(unsigned int subsys, unsigned int signal, conn = lchan->conn; if (bsc->clear_request) - bsc->clear_request(conn, 0); + destruct = bsc->clear_request(conn, 0); /* now give up all channels */ if (conn->lchan == lchan) @@ -264,6 +265,9 @@ static int bsc_handle_lchan_signal(unsigned int subsys, unsigned int signal, conn->ho_lchan = NULL; gsm0808_clear(conn); + if (destruct) + subscr_con_free(conn); + return 0; } |