diff options
author | Holger Hans Peter Freyther <zecke@selfish.org> | 2010-06-30 09:22:31 +0800 |
---|---|---|
committer | Holger Hans Peter Freyther <zecke@selfish.org> | 2010-06-30 11:59:29 +0800 |
commit | 66efcbce659239a9d47e893293e88a9dc7cd8251 (patch) | |
tree | 128ec44eb0b65c3a504a97a67f373f7bf0f9232b /openbsc/src/gsm_subscriber_base.c | |
parent | 93d50e69d37b3e3bd5cd41967705b8645cfefdec (diff) |
gsm_subscriber_base: Take a ref on the subscriber to avoid use after free
On expired paging we might access a GSM Subscriber that has already
been deleted. To avoid this we will add a subscr_get/subscr_put for
the subscriber to the allocation and release path of the request.
Reported-by: Richard Zahoransky
Diffstat (limited to 'openbsc/src/gsm_subscriber_base.c')
-rw-r--r-- | openbsc/src/gsm_subscriber_base.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/openbsc/src/gsm_subscriber_base.c b/openbsc/src/gsm_subscriber_base.c index 50e6865bf..c06b1ce6b 100644 --- a/openbsc/src/gsm_subscriber_base.c +++ b/openbsc/src/gsm_subscriber_base.c @@ -1,7 +1,8 @@ /* The concept of a subscriber as seen by the BSC */ /* (C) 2008 by Harald Welte <laforge@gnumonks.org> - * (C) 2009 by Holger Hans Peter Freyther <zecke@selfish.org> + * (C) 2009-2010 by Holger Hans Peter Freyther <zecke@selfish.org> + * (C) 2010 by On Waves * * All Rights Reserved * @@ -88,6 +89,7 @@ static int subscr_paging_cb(unsigned int hooknum, unsigned int event, request->cbfn(hooknum, event, msg, data, request->param); subscr->in_callback = 0; + subscr_put(subscr); talloc_free(request); return 0; } @@ -165,7 +167,7 @@ void subscr_get_channel(struct gsm_subscriber *subscr, } memset(request, 0, sizeof(*request)); - request->subscr = subscr; + request->subscr = subscr_get(subscr); request->channel_type = type; request->cbfn = cbfn; request->param = param; |