From 1a345ca48fc3e2cd172a5020a8d204553811b379 Mon Sep 17 00:00:00 2001 From: Holger Hans Peter Freyther Date: Fri, 27 Dec 2013 17:37:27 +0100 Subject: lu crash: Fix a crash that likely occurred during the LU procedure conn->loc_operation is already NULL (e.g. due a five second timeout but we are still processing a RSL message after we initiated the release procedure). Do not attempt to authorize a subcriber without knowing the key_sequence. This can cause more problems but we will need to test this in the field. (gdb) bt #0 gsm0408_authorize (conn=0x19fc2f0, msg=) at gsm_04_08.c:323 #1 gsm0408_authorize (conn=0x19fc2f0, msg=) at gsm_04_08.c:319 #2 0x000000000043a99a in mm_rx_id_resp (conn=0x19fc2f0, msg=) at gsm_04_08.c:495 #3 gsm0408_rcv_mm (msg=, conn=0x19fc2f0) at gsm_04_08.c:1041 #4 gsm0408_dispatch (conn=0x19fc2f0, msg=) at gsm_04_08.c:3232 (gdb) p *conn $5 = {entry = {next = 0x1746930, prev = 0x1a14270}, subscr = 0x1745eb0, expire_timer_stopped = 1 '\001', loc_operation = 0x0, sec_operation = 0x0, anch_operation = 0x0, silent_call = 0, put_channel = 0, sccp_con = 0x0, in_release = 0, lchan = 0x7f8c79007218, ho_lchan = 0x0, bts = 0x1719f90, T10 = {node = { rb_parent_color = 0, rb_right = 0x0, rb_left = 0x0}, list = {next = 0x0, prev = 0x0}, timeout = {tv_sec = 0, tv_usec = 0}, active = 0, cb = 0, data = 0x0}, secondary_lchan = 0x0} --- openbsc/src/libmsc/gsm_04_08.c | 3 +++ 1 file changed, 3 insertions(+) (limited to 'openbsc/src/libmsc') diff --git a/openbsc/src/libmsc/gsm_04_08.c b/openbsc/src/libmsc/gsm_04_08.c index 75e464d5f..3efdb8f29 100644 --- a/openbsc/src/libmsc/gsm_04_08.c +++ b/openbsc/src/libmsc/gsm_04_08.c @@ -318,6 +318,9 @@ static int _gsm0408_authorize_sec_cb(unsigned int hooknum, unsigned int event, static int gsm0408_authorize(struct gsm_subscriber_connection *conn, struct msgb *msg) { + if (!conn->loc_operation) + return 0; + if (authorize_subscriber(conn->loc_operation, conn->subscr)) return gsm48_secure_channel(conn, conn->loc_operation->key_seq, -- cgit v1.2.3