diff options
author | Harald Welte <laforge@gnumonks.org> | 2010-12-23 02:47:53 +0100 |
---|---|---|
committer | Harald Welte <laforge@gnumonks.org> | 2010-12-26 19:20:57 +0100 |
commit | d683d3fa6ab3d8ee33b1121081037305dce5e0cc (patch) | |
tree | d473cd6db29185bc3c3e85f8e3d01b1b36ba6932 /openbsc/src | |
parent | b396999bd9f13ccbf838cca856751e9746c138c5 (diff) |
mncc_sock: Fix potential segfault in case MNCC app dies
We create a loop by not setting trans->callref = 0 before calling
trans_free(), as the latter would again send a MNCC_REL_IND up
the stack.
Also: Fix memory leak in case we try to read from mncc_sock
but socket is just gone.
Diffstat (limited to 'openbsc/src')
-rw-r--r-- | openbsc/src/gsm_04_08.c | 4 | ||||
-rw-r--r-- | openbsc/src/mncc_sock.c | 1 |
2 files changed, 4 insertions, 1 deletions
diff --git a/openbsc/src/gsm_04_08.c b/openbsc/src/gsm_04_08.c index 23fa9163e..29c9dbaa4 100644 --- a/openbsc/src/gsm_04_08.c +++ b/openbsc/src/gsm_04_08.c @@ -337,8 +337,10 @@ void gsm0408_clear_all_trans(struct gsm_network *net, int protocol) LOGP(DCC, LOGL_NOTICE, "Clearing all currently active transactions!!!\n"); llist_for_each_entry_safe(trans, temp, &net->trans_list, entry) { - if (trans->protocol == protocol) + if (trans->protocol == protocol) { + trans->callref = 0; trans_free(trans); + } } } diff --git a/openbsc/src/mncc_sock.c b/openbsc/src/mncc_sock.c index 30520091e..e9e62769c 100644 --- a/openbsc/src/mncc_sock.c +++ b/openbsc/src/mncc_sock.c @@ -144,6 +144,7 @@ static int mncc_sock_read(struct bsc_fd *bfd) return rc; close: + msgb_free(msg); mncc_sock_close(state); return -1; } |