From f11b6d2f30f2a307d8b8e7398119d423ce8bb012 Mon Sep 17 00:00:00 2001
From: Harald Welte <laforge@gnumonks.org>
Date: Wed, 2 Jun 2010 10:09:50 +0200
Subject: [GPRS] SGSN: fix another segfault (and use-after-free) when GGSN is
 dead

---
 openbsc/src/gprs/sgsn_libgtp.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

(limited to 'openbsc')

diff --git a/openbsc/src/gprs/sgsn_libgtp.c b/openbsc/src/gprs/sgsn_libgtp.c
index 03de8ccd2..f42ea8c7a 100644
--- a/openbsc/src/gprs/sgsn_libgtp.c
+++ b/openbsc/src/gprs/sgsn_libgtp.c
@@ -233,6 +233,7 @@ static int create_pdp_conf(struct pdp_t *pdp, void *cbp, int cause)
 {
 	struct sgsn_pdp_ctx *pctx = cbp;
 	uint8_t reject_cause;
+	int rc;
 
 	DEBUGP(DGPRS, "Received CREATE PDP CTX CONF, cause=%d(%s)\n",
 		cause, get_value_string(gtp_cause_strs, cause));
@@ -267,10 +268,10 @@ reject:
 	pctx->state = PDP_STATE_NONE;
 	if (pdp)
 		pdp_freepdp(pdp);
-	sgsn_pdp_ctx_free(pctx);
 	/* Send PDP CTX ACT REJ to MS */
-	return gsm48_tx_gsm_act_pdp_rej(pctx->mm, pdp->ti, reject_cause,
+	rc = gsm48_tx_gsm_act_pdp_rej(pctx->mm, pctx->ti, reject_cause,
 					0, NULL);
+	sgsn_pdp_ctx_free(pctx);
 
 	return EOF;
 }
-- 
cgit v1.2.3